As an anonymous user trying to add to cart I get this error. When I'm logged in as administrator I can still order without problems though. Pretty critical since nobody can order in my shop anymore.

Comments

rszrama’s picture

Can you tell me what the data in that field is? You should only get the error if you specify a non-numeric product ID or if the Product Reference module can't load the product. Perhaps there's some permission check gone awry?

dmadruga’s picture

Hey JGO,

did you try giving the "View any entity of type Commerce Product of any bundle" permission to the anonymous user?

Regards,
Daniel Madruga
http://danielmadruga.wordpress.com
http://www.B2Trip.com - Get help to plan your trip!

dmadruga’s picture

Hummm... After posting my last message I started wondering what's the purpose of this permission. If a product is only viewed through its corresponding display node, what's the real purpose of this permission (beyond causing this sort of confusion)?

Countzero’s picture

I just stumbled on this problem too, and beside the fact I understand the logic behind this permission, I agree with the previous poster it's a bit confusing.

I'm testing Drupal Commerce with the Kickstart installation and must say I'm very impressed so far.

Perhaps this permission could be enabled by default in the installation profile ?

rszrama’s picture

Yep - I was wondering if it was a permission problem. We probably shouldn't have added the access tag to the query in _commerce_product_match_products_standard() when we centralized our entity access control. I'll figure out a fix for it today, whether it's a revert or a conditional access tag or something.

rszrama’s picture

Title: Product: you have specified an invalid product for this reference field. » Add optional access control checking to product reference field settings
Category: bug » feature

I fixed this by adding a parameter to the match product functions in commerce_product.module to explicitly add the access control tag. Default behavior is to not have this for now, but my hunch is we'll need to add a setting to the product reference field on whether to include access control or not. I'm going to repurpose this issue for that.

(I should've made it clear: update to the latest dev and you won't get the error any more, but don't give unfettered access to edit product reference fields if you need access control in them - we'll have that back in shortly.)

JGO’s picture

Thanks for looking into it, are you sure it's in the latest dev ? That one is dated 3rd of July

rszrama’s picture

Yeah, it's in there - the actual dev release only gets repackaged once a day. If you're using Git, you can always pull the latest changes as soon as I commit them.

TimelessDomain’s picture

the purpose of this permission should be to hide fields attached to a referenced product entity, while still being able to display the rest of the node.
Right now you cannot hide the price while still showing the product. There should be a permission to view product price, or this permission should hide the product entity data on nodes.

I tried to work-around this using the Fields Permissions module http://drupal.org/project/field_permissions , but I could only get it to hide the add-to-cart button and not the price (or any other fields attached to a product entity & displayed through a product reference field.
The field permissions should apply to all fields displayed through a product reference field on a node. I have opened an issue to do just this #1233628: Commerce - Product Entity & Product Entity Reference Field Permissions . If commerce could provide this without the Field Permissions module, this would be ideal. In the meantime if you know a work-around to hide price from specific roles, please post it. Thanks
_____
UPDATE:
Ended up using rules to put the price into another field which could be hidden

This export contains both a decimal field & text field that get populated by the Commerce Price field (works with updates). Attach these fields to the Product Entity.

{ "rules_duplicate_price" : {
    "LABEL" : "Duplicate Price",
    "PLUGIN" : "reaction rule",
    "REQUIRES" : [ "rules", "entity" ],
    "ON" : [ "commerce_product_presave" ],
    "IF" : [
      { "entity_has_field" : { "entity" : [ "commerce-product" ], "field" : "commerce_price" } },
      { "entity_has_field" : { "entity" : [ "commerce-product" ], "field" : "field_price_displayed" } },
      { "data_is" : { "data" : [ "commerce-product" ], "value" : [ "commerce-product" ] } },
      { "entity_has_field" : { "entity" : [ "commerce-product" ], "field" : "field_price_view" } }
    ],
    "DO" : [
      { "data_calc" : {
          "USING" : {
            "input_1" : [ "commerce-product:commerce-price:amount" ],
            "op" : "\/",
            "input_2" : "100"
          },
          "PROVIDE" : { "result" : { "result" : "Calculation result" } }
        }
      },
      { "data_set" : {
          "data" : [ "commerce-product:field-price-displayed" ],
          "value" : [ "result" ]
        }
      },
      { "data_set" : {
          "data" : [ "commerce-product:field-price-view" ],
          "value" : [ "result" ]
        }
      }
    ]
  }
}
rszrama’s picture

Priority: Critical » Normal

No longer critical since the initial bug had been fixed.

geek-merlin’s picture

i had a use case where this shot me in the knee:
* created some product view with the price and attached it to the display as a pseudofield with EVA

an ugly workaround for this is to give anonymous the permission "view any product".
see #1303194: Clarify security implications of granting "View any Product product" permission

bojanz’s picture

Issue summary: View changes
Status: Active » Closed (outdated)