The permissions are incorrectly configured for the payment views at admin/content/payment and user/%user/payment.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Xano’s picture

Assigned: Unassigned » Xano
Status: Active » Fixed
FileSize
1.99 KB

And the payment method administration overview used an old permission that no longer existed.

Fixed and committed to 7.x-1.x-dev.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Xano’s picture

Assigned: Xano » Unassigned
Alex Bukach’s picture

Version: 7.x-1.x-dev » 7.x-1.8
Issue summary: View changes
Status: Closed (fixed) » Needs review
FileSize
1.68 KB

In fact, just setting payment.payment.view.own permission for user/%user/payment view is not enough. Suppose I'm user A and I have permission payment.payment.view.own granted. When I go to user B page, I will see his Payments tab since to see it I need have payment.payment.view.own permission, and I do.

It seems we should use PHP access check for that display.

kruser’s picture

I tried the patch in #4, but as a User with View OWN payments I'm still able to see everyone else's payment tabs/data.

Xano’s picture

Did you re-install Payment? The patch changes the default view, but those changes do not have any effect if you have overridden the view on your site.

kruser’s picture

I reinstalled, but the patch only affects the Admin display, not the "User's own payments" display, so users can still see each other.

Xano’s picture

Status: Needs review » Needs work
Alex Bukach’s picture

Status: Needs work » Needs review
FileSize
16.09 KB

If a view has been created, it will not be overridden by code even the module is reinstalled. You'll just see that database overrides code at views list page (see the screenshot). To take the effect you need to revert the view. Bob, did you do this?

Xano’s picture

+++ b/payment/views/payment.views_default.inc
@@ -179,8 +179,8 @@ function payment_view_payments() {
+  $handler->display->display_options['access']['php_access'] = 'return payment_user_payments_access();';

It looks like the wrong view display is changed. This is the administrative one and not the one in users' profiles.

kruser’s picture

I didn't modify the view so the reverting option wasn't available.

Alex Bukach’s picture

Version: 7.x-1.8 » 7.x-1.9
FileSize
1.67 KB

Good point, Xano! Here's an updated patch.

kruser, sorry for this mistake, could you please try this patch.

Xano’s picture

I tried the patch, but I don't see any support for PHP access checking in Views. Are you perhaps using another contrib module for that?

Xano’s picture

Ah, there is Views PHP, but we can't rely on that. We probably need a custom access handler for this.

Xano’s picture

FileSize
2.25 KB

Most of the code is ready. When selecting this access method when editing a view, however, the configuration isn't saved properly.

Status: Needs review » Needs work

The last submitted patch, 15: payment_1446042_15.patch, failed testing.

Xano’s picture

Status: Needs work » Needs review

15: payment_1446042_15.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, 15: payment_1446042_15.patch, failed testing.

Xano’s picture

Status: Needs work » Needs review

15: payment_1446042_15.patch queued for re-testing.

Status: Needs review » Needs work

The last submitted patch, 15: payment_1446042_15.patch, failed testing.

Xano’s picture

Version: 7.x-1.9 » 7.x-1.x-dev
Xano’s picture

Status: Needs work » Needs review

15: payment_1446042_15.patch queued for re-testing.

Xano’s picture

FileSize
5.11 KB

This one should work. Before testing, make sure to revert the Payments view.

Xano’s picture

Status: Needs review » Fixed

I just manually tested this as well and it works. Thanks for the work and feedback!

  • Commit 646f118 on 7.x-1.x by Xano:
    Issue #1446042 by Xano, Alex Bukach: Payment views have incorrect...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.