The Views Megarow requires granting the administer commerce_product entities permission. This is too much for most users. It should be able to handle the more fine grained per product type permissions to enable editing of those product types that users do actually have the permission to edit.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

mrfelton’s picture

Status: Active » Needs work
FileSize
624 bytes

This is not really the right approach, as it opens up the ability to edit a product based on wether the user has the permission to edit the display node. But, in our simple use case, users that have access to edit the display do also have permission to edit the linked products. So, I attach this patch for those that might have a similar setup.

Ultimately, this needs to be made more intelligent so that it is the per-product type edit permission that is checked.

logii’s picture

#1 Worked for me.

vasike’s picture

Status: Needs work » Needs review
FileSize
3.41 KB

here is a new patch that completes the work started on #1 patch.
it uses this access for "Quick Edit" link from "Operations links" Views handler.
And also adds a permission check for inside quick edit form for the product form elements.
if there's no update access for the product the form elements will be disabled.

to do:
- the "administer commerce_product entities" is the permission set for the Backoffice Products view.
imho opinion this should be changed with a more flexibile custom permission
for example: let an user with only access for updating a product display type and its product type entities
to access this page.

jsacksick’s picture

Issue summary: View changes
Status: Needs review » Fixed

Committed! Thanks (8aa251a), forgot to append --author :(

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.