have you tested accessing a basket, with all 3 settings 'off'? No, of course I haven't. The other member of staff surely ought to have one of these permissions.
I'm talking about having two members of staff (let's call them A and B) which both have been granted the rights to handle acquisitions. You may further imagine A and B working at different branches. You probably don't want one branches' staff to access another branches' acquisitions. Now A creates an order, say that's basket number 42. In acqui/booksellers.pl, there is code to prevent B from being shown basket 42 (currently, that code is broken, but that's another issue). But B can simply click on one of his own baskets (say 41), and in the URL being redirected to, edit ``basketno=41'' to ``basketno=42''. Voila, he can access A's basket he's supposedly not to do.