Administer "Own" Product Features [#601980]

Presently, Ubercart has a permission to administer product features. However, if this permission is granted, users can administer other user's product features. They could for example delete another user's product feature even though they don't have permission to access that node directly!

Comment	File	Size	Author
#5	ubercart-601980-3.patch	1.1 KB	fizk
#5
#2	ubercart-601980-2.patch	1.1 KB	univate
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

syndicateStorm CreditAttribution: syndicateStorm commented 12 October 2009 at 05:10

We only need a few changes to allow users to only administer there own product features...

Change (1), add the permission:

/**
 * Implementation of hook_perm().
 */
function uc_product_perm() {
  // syndicateStorm ===
  //$perms = array('administer products', 'administer product classes', 'administer product features');
  $perms = array('administer products', 'administer product classes', 'administer product features', 'administer own product features');
  // End syndicateStorm ===
  ...

Change (2), define the specifics of the permission:

/**
 * Menu access callback for 'node/%node/edit/uc-features'.
 */
function uc_product_feature_access($node) {
  // syndicateStorm ===
  //return uc_product_is_product($node) && user_access('administer product features');
  global $user;
  return uc_product_is_product($node) && 
    ((user_access('administer product features') || (user_access('administer own product features') && ($user->uid == $node->uid))));
  // End syndicateStorm ===
}

The above code should fix the problem.

Comment #2

univate CreditAttribution: univate commented 13 October 2009 at 23:45

Category:	bug	» feature
Status:	Active	» Needs review

File	Size
ubercart-601980-2.patch	1.1 KB

This is not really a bug, as giving users access to administer product features does exactly what it say, gives them access to administer product features, so this is really a new feature.

I have attached this as a patch.