Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Presently, Ubercart has a permission to administer product features. However, if this permission is granted, users can administer other user's product features. They could for example delete another user's product feature even though they don't have permission to access that node directly!
Comment | File | Size | Author |
---|---|---|---|
#5 | ubercart-601980-3.patch | 1.1 KB | fizk |
#2 | ubercart-601980-2.patch | 1.1 KB | univate |
Comments
Comment #1
syndicateStorm CreditAttribution: syndicateStorm commentedWe only need a few changes to allow users to only administer there own product features...
Change (1), add the permission:
Change (2), define the specifics of the permission:
The above code should fix the problem.
Comment #2
univate CreditAttribution: univate commentedThis is not really a bug, as giving users access to administer product features does exactly what it say, gives them access to administer product features, so this is really a new feature.
I have attached this as a patch.
Comment #3
syndicateStorm CreditAttribution: syndicateStorm commentedYou're right. Thanks for the patch!
Comment #4
fizk CreditAttribution: fizk commentedThis should've been committed by now.
Comment #5
fizk CreditAttribution: fizk commentedThere's a typo in #2. "adminster" should be "administer".
Comment #6
longwaveCommitted. Needs porting to 7.x.
Comment #7
longwaveCommitted.