Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Answering http://www.drupalcommerce.org/node/702#comment-1614, I noticed that the "create any product of any type" permission doesn't actually allow what it intends. Then it turns out that's true for all commerce entities... and it looks like "edit any of any type" and "view any of any type" are also broken. Patch attached.
Comment | File | Size | Author |
---|---|---|---|
commerce.create_any_is_broken.patch | 2.3 KB | rfay | |
Comments
Comment #1
rszrama CreditAttribution: rszrama commentedView access is actually handled through query altering. If you look at commerce_entity_access_query_alter(), you'll see the third conditional statement grants "any" access:
Create access did need the additional check, but I left the else statement in there. Edit access was more nuanced. It wasn't that edit any permissions weren't working; it was that bundle specific edit any permissions were being completely ignored. I added bundle level checking in and fleshed out the comments for both create and edit / delete checks.
To test this, I used the following code at devel/php with Kickstart (which creates three products assigned to user 1). I then fiddled with the permissions for the anonymous user and kept executing the code until I got expected values for every permissions. : P
Commit: http://drupalcode.org/project/commerce.git/commitdiff/32a9bc0