Link deposit functionality does not site secure revenue the user does not have access to

A user who doesn't have permissions to view revenue transactions for/from other sites can view them by "Linking all deposits". Site security does prevent the user from seeing the payment when the searching revenue transactions but the payments can still be accessed via the recently accessed area.
Download and install the latest Service Pack which contains all fixes from previous patches. If you are running an older version, download and install the latest version and then the patch.  

Steps to Duplicate

  1. Open an app user and note the site on their role.
  2. View a purpose record  and note that the site on the purpose is different then the app user
  3. Run as user in step 1 and note that you cannot add revenue for this designation nor can you search for/open revenue that used that designation.
  4. Create a deposit, click link, and hit apply.
  5. Note that you are able to link revenue to the deposit that you would normally not be able to access or search for.
  6. After linking the revenue to the deposit click the hyperlink that would take you to the revenue page.
  7. Note that you will get a message ‘The specified page could not be loaded. The current user does not have rights to use this feature in the context of this specific record’.
  8. This message is expected but the user should not have been able to link to the deposit.

Environment

 Blackbaud CRM
 3.0
 4.0.172.0, Service Pack 12
 3.0.516.79

Was this article helpful?