Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In the case where a user has the permission to view own entities but doesn't have the permission to view all entities commerce will sometimes try to perform access check but fail in granting access even when the user has access.
An example is a user viewing his own order, that is unable to see the line items of his own order, even though he is able to view his own order.
Comment | File | Size | Author |
---|---|---|---|
#2 | 1434730-2.patch | 1.82 KB | googletorp |
#1 | 1434730.patch | 14.12 KB | googletorp |
Comments
Comment #1
googletorp CreditAttribution: googletorp commentedThe problem turned out to be a very simple line of code:
In the commerce_entity_access_query_alter function the base table for the query was found like this:
In some cases this went well, but in other cases this didn't work out as it should, as the table selected as the base table would not be the same as the table used for the entity. When doing stuff like
$conditions->condition($base_table . '.' . $entity_info['access arguments']['user key'], $account->uid);
The query could end up being 'commerce_line_item.uid = 2', since line items doesn't have uid the query will fail - but due to the nature of the query it doesn't generate a PDOException.
I have attached a patch that fixes this, you can also see this commit
Comment #2
googletorp CreditAttribution: googletorp commentedUploaded same patch, but without all the junk from Drupal's build system.
Comment #3
mossy2100 CreditAttribution: mossy2100 commentedThis didn't solve the problem for me.
Comment #4
googletorp CreditAttribution: googletorp commented#3 Your comment isn't really of much help unless you state a test case where the permission check fails.
Fx when viewing an FOO and the user has permission BAR, BAZ isn't displayed.
Comment #5
googletorp CreditAttribution: googletorp commentedRyan mind if you look at this for 1.3 - I went and made a shameless tag :)
Comment #6
rcross CreditAttribution: rcross commentedthis sounds like it might be a duplicate of #1276450: Views results empty for unprivileged user when using Relationship: Content: Referenced Product or at least the same root problem #1323366: Query access fails in certain cases on post-RC1 Views
Comment #7
cvangysel CreditAttribution: cvangysel commented#2 was the solution I also had in mind ... can anyone give a use-case where this still fails?
Comment #8
rszrama CreditAttribution: rszrama commentedI'm pretty sure this just got fixed as part of the patch in #1879260: More robust query altering for line items. Marking duplicate, but feel free to reopen if I've missed an edge case in here.