@sauloperez apart from the sentence, the epic is ready for review!

done

In terms of permissions, do we want to add this as a new item in the permissions UI? That way a distributor could selectively grant this permission to some suppliers and not others...

@Matt-Yorkley we went for an enterprise settings see mockups here:

https://github.com/openfoodfoundation/openfoodnetwork/issues/5054

We discussed this during inception but chose not to go towards detailed permissions yet as we are only focusing on names. https://community.openfoodnetwork.org/t/1-hubs-suppliers-can-prepare-the-invidual-orders-for-the-hubs-customers/1151/49?u=rachel

Suppliers/Producers can't actually view Xero Invoice reports for a distributor's orders (unless the user also manages that distributor), and they don't contain customer names anyway...

Customers report is not viewable by suppliers either, it only returns data to users that manage the distributor enterprise (who can see customer names already). Same with all Order Cycle Management reports and Sales Tax reports.

@Matt-Yorkley we did a list of all reports in the issue here: https://github.com/openfoodfoundation/openfoodnetwork/issues/5054

So I think the list of reports we actually need to implement this for is only:

• Orders and distributors (one column: Customer name)
• Bulk Co-op (one column: Customer name)
• Orders and Fulfillment - Order Cycle Customer Totals (one column: Customer name)
• All Customers (name and first names are two columns on these ones!)
• Enterprise Fee
• All Order Cycle Management (name and first names are two columns on this one!)
• All Sale Tax
• Xero invoices
• All packing reports (name and first names are two columns on these ones!)

@Matt-Yorkley I'm not sure I agree. When I login as a supplier I do have access to all these reports.

Maybe you tested as a producer that does not sell? In any case we must cover both type of producers. But you are right this is missing from the tests cases. I will add them.

As an example: if you log in as a user that only manages a supplier can you see any data in Customer reports for customers of a distributor that the logged in user does not manage?

@Matt-Yorkley aaah yes ok I understand now. Indeed, the supplier can access the report, bu cannot see _data_ from the distributor :+1:

Yep. The Customers report only returns data for distributors the user manages. The same logic applies to the other reports I crossed off the list :+1:

I think if we make any mistakes while touching this code, we could easily create some serious data privacy issues. We need to be really careful and precise with this... :sweat_smile:

5769 got merged so this will be shipped to production next Tuesday! :tada:

As discussed in delivery train, I've moved #5055 to an epic dedicated to analytics. Thus closing here :)