Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Currently, unpublished skus can still be added to orders via the admin order pages.
Comment | File | Size | Author |
---|---|---|---|
#12 | 1054028-order-admin-node-access.patch | 1.49 KB | longwave |
Comments
Comment #1
TR CreditAttribution: TR commentedI think the admin should be allowed to do anything - even add a product that's not yet (or no longer) available to the general public.
Comment #2
longwaveI have a store where unpublished items are used in the admin pages; for some items there is limited stock and they are not always available directly via the website (products are unpublished) but customers may call and have an item added to their order manually. As TR says, a store admin can and should be able to do things that their customers cannot.
Comment #3
Coyote CreditAttribution: Coyote commentedHere's the problem - there isn't one admin on this site. There are several people with enough administrative abilities to create orders for customers, but they should _not_ be allowed to sell products that are no longer for sale.
Sure, it's great for the superadmin account or privileged accounts to do special things, but this is a case where a store employee should not be allowed to do something that a manager is allowed to do.
Comment #4
Coyote CreditAttribution: Coyote commentedBump?
Comment #5
longwaveI guess this calls for a new permission, "view unpublished products" or similar, that is checked on the create order pages, but this is probably better off in a contrib module than in core, unless someone wants to provide a fairly simple patch for it.
Comment #6
longwaveMarked #1520840: customizing the order admin back end as duplicate
Comment #7
TR CreditAttribution: TR commentedNew features should go into 7.x-3.x first.
Comment #8
SilviuChingaru CreditAttribution: SilviuChingaru commentedComment #9
longwaveDo we need a new permission here, or is "administer products" enough? Or what about "bypass node access" that node.module provides?
Comment #10
SilviuChingaru CreditAttribution: SilviuChingaru commentedI think bouth should be used with OR...
Comment #11
longwaveEven simpler, should we just use node_access(), so any user can only add products that they currently have permission to view? As we already use this for adding items to the cart, it makes sense to use the same rules on the admin side as well.
Comment #12
longwaveThe attached patch converts the query used here to use the node_access tag, so admins can only add products that they have permission to view.
Comment #13
longwaveCommited #12.
Comment #15
SilviuChingaru CreditAttribution: SilviuChingaru commented