steps to reproduce: 1. Find a public paid app like https://marketplace.firefox.com/developers/app/in-app-payment-tester-1/payments/ 2. Add a new owner to this existing app 3. Try to access the bango portal by clicking the 'View Transactions' link expected behavior: Bango portal loads fine to the newly added owner of the paid app. there may be cases where multiple people may need access to the payments metrics observed behavior: Launching the bango portal fails with a 403 GET https://marketplace.firefox.com/developers/app/in-app-payment-tester-1/payments/bango-portal [HTTP/1.1 403 FORBIDDEN 162ms]
I think payment accounts are linked to the developer, not the owner of the app though. I think we should be consistent with this. Other issues: - in a larger organisation, where a developer uploads an app, then adds in accounting to create the payment account. I'm not sure the developer should get access to the bango portal. - shared accounts will need blocking, so that you can't access the details of the shared account - monolith will provide us with app stats, so the owner will get access to those and those might at some point in the future show payment information. If we did do this, I'd rather have an explicit permission from the owner of the payment account to share the payment account, as opposed to sharing the app.
Let's make this an explicit permission granted by the payment account owner.
Based on the recently announced future plans for the Marketplace to remove payments, closing these bugs.