In the case where a user has the permission to view own entities but doesn't have the permission to view all entities commerce will sometimes try to perform access check but fail in granting access even when the user has access.

An example is a user viewing his own order, that is unable to see the line items of his own order, even though he is able to view his own order.

Files: 
CommentFileSizeAuthor
#2 1434730-2.patch1.82 KBgoogletorp
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es).
[ View ]
#1 1434730.patch14.12 KBgoogletorp
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es).
[ View ]

Comments

Status:Active» Needs review
StatusFileSize
new14.12 KB
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es).
[ View ]

The problem turned out to be a very simple line of code:

In the commerce_entity_access_query_alter function the base table for the query was found like this:

<?php
$tables
= &$query->getTables();
$base_table = key($tables);
?>

In some cases this went well, but in other cases this didn't work out as it should, as the table selected as the base table would not be the same as the table used for the entity. When doing stuff like

<?php
$conditions
->condition($base_table . '.' . $entity_info['access arguments']['user key'], $account->uid);
?>

The query could end up being 'commerce_line_item.uid = 2', since line items doesn't have uid the query will fail - but due to the nature of the query it doesn't generate a PDOException.

I have attached a patch that fixes this, you can also see this commit

StatusFileSize
new1.82 KB
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es).
[ View ]

Uploaded same patch, but without all the junk from Drupal's build system.

This didn't solve the problem for me.

#3 Your comment isn't really of much help unless you state a test case where the permission check fails.

Fx when viewing an FOO and the user has permission BAR, BAZ isn't displayed.

Issue tags:+1.3 review

Ryan mind if you look at this for 1.3 - I went and made a shameless tag :)

#2 was the solution I also had in mind ... can anyone give a use-case where this still fails?

Priority:Major» Normal
Status:Needs review» Closed (duplicate)

I'm pretty sure this just got fixed as part of the patch in #1879260: More robust query altering for line items. Marking duplicate, but feel free to reopen if I've missed an edge case in here.