Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
The permissions are incorrectly configured for the payment views at admin/content/payment and user/%user/payment.
Comment | File | Size | Author |
---|---|---|---|
#23 | payment_1446042_23.patch | 5.11 KB | Xano |
Comments
Comment #1
XanoAnd the payment method administration overview used an old permission that no longer existed.
Fixed and committed to 7.x-1.x-dev.
Comment #3
XanoComment #4
Alex Bukach CreditAttribution: Alex Bukach commentedIn fact, just setting payment.payment.view.own permission for user/%user/payment view is not enough. Suppose I'm user A and I have permission payment.payment.view.own granted. When I go to user B page, I will see his Payments tab since to see it I need have payment.payment.view.own permission, and I do.
It seems we should use PHP access check for that display.
Comment #5
kruser CreditAttribution: kruser commentedI tried the patch in #4, but as a User with View OWN payments I'm still able to see everyone else's payment tabs/data.
Comment #6
XanoDid you re-install Payment? The patch changes the default view, but those changes do not have any effect if you have overridden the view on your site.
Comment #7
kruser CreditAttribution: kruser commentedI reinstalled, but the patch only affects the Admin display, not the "User's own payments" display, so users can still see each other.
Comment #8
XanoComment #9
Alex Bukach CreditAttribution: Alex Bukach commentedIf a view has been created, it will not be overridden by code even the module is reinstalled. You'll just see that database overrides code at views list page (see the screenshot). To take the effect you need to revert the view. Bob, did you do this?
Comment #10
XanoIt looks like the wrong view display is changed. This is the administrative one and not the one in users' profiles.
Comment #11
kruser CreditAttribution: kruser commentedI didn't modify the view so the reverting option wasn't available.
Comment #12
Alex Bukach CreditAttribution: Alex Bukach commentedGood point, Xano! Here's an updated patch.
kruser, sorry for this mistake, could you please try this patch.
Comment #13
XanoI tried the patch, but I don't see any support for PHP access checking in Views. Are you perhaps using another contrib module for that?
Comment #14
XanoAh, there is Views PHP, but we can't rely on that. We probably need a custom access handler for this.
Comment #15
XanoMost of the code is ready. When selecting this access method when editing a view, however, the configuration isn't saved properly.
Comment #17
Xano15: payment_1446042_15.patch queued for re-testing.
Comment #19
Xano15: payment_1446042_15.patch queued for re-testing.
Comment #21
XanoComment #22
Xano15: payment_1446042_15.patch queued for re-testing.
Comment #23
XanoThis one should work. Before testing, make sure to revert the Payments view.
Comment #24
XanoI just manually tested this as well and it works. Thanks for the work and feedback!