Impact
An unknown number of organizations encountered issues in the Billing section, as it did not list information related to groups and authors. The issue started on UTC-5 24-03-11 12:48 and was proactively discovered 2.1 days (TTD) later by one of our engagement managers who reported through our help desk [1] that the Billing section on the platform is not displaying the information correctly. The problem was resolved in 20.4 hours (TTF), resulting in a total window of exposure of 2.9 days (WOE) [2].
Cause
The query fetching author information per group was not executed, leading to an error in the Billing module due to the absence of the api_resolvers_group_billing_resolve permission [3].
Solution
A condition that checked if users had permission to perform a specific action related to Billing was removed from the code, and the team also addressed the Access denies error that occurred when users lacked the corresponding permission [4].
Conclusion
A lack of understanding regarding permission validation on the front-end led to the issue reaching production. To prevent similar incidents, the team has implemented end-to-end tests for this specific case [5]. INCOMPLETE_PERSPECTIVE < MISSING_TEST