View any XXX, Edit any XXX, Create any XXX permissions don't work

View access is actually handled through query altering. If you look at commerce_entity_access_query_alter(), you'll see the third conditional statement grants "any" access:

  // Do not apply any conditions for users with administrative view permissions.
  if (user_access('administer ' . $entity_type . ' entities', $account)
    || user_access('view any ' . $entity_type . ' entity', $account)) {
    return;
  }

Create access did need the additional check, but I left the else statement in there. Edit access was more nuanced. It wasn't that edit any permissions weren't working; it was that bundle specific edit any permissions were being completely ignored. I added bundle level checking in and fleshed out the comments for both create and edit / delete checks.

To test this, I used the following code at devel/php with Kickstart (which creates three products assigned to user 1). I then fiddled with the permissions for the anonymous user and kept executing the code until I got expected values for every permissions. : P

// I used a non-administrative user 2 to check ownership permissions.
// I altered product 1's uid to 2 as well.
$account = user_load(0);

$product = commerce_product_load(1);
// I used this to test bundle specific permissions.
// $product->type = 't_shirt';

$access = array();

foreach (array('view', 'edit', 'create') as $op) {
  $access[] = $op .': '. commerce_entity_access($op, $product, $account, 'commerce_product');
}

return print_r($access, TRUE);

Commit: http://drupalcode.org/project/commerce.git/commitdiff/32a9bc0