Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
I could be overlooking something, but it seems like when user can download his own invoice as PDF he can do the same for EVERY invoice.
Tested setting the View's Access options to check 'permission' and as permission select Order->View Own orders of any type.
is this a bug or is this something we can configure?
Comments
Comment #1
silkogelman CreditAttribution: silkogelman commentedComment #2
lsolesen CreditAttribution: lsolesen commentedThis should probably be handled by the module. However, it should be easy to configure in views - just choose the appropriate role under access.
Comment #3
silkogelman CreditAttribution: silkogelman commentedThen my question is: how did you do it exactly?
Because if we give a person access to the View they get access to all the invoices (by changing the url).
I must say I haven't looked at this in months so if you have a solution that I am unaware of: please share.
Comment #4
lsolesen CreditAttribution: lsolesen commentedThought you could just change access to view own pdf's. However, maybe a new permission needs to be created. For the time being, I will rewrite my own custom PDF to use with commerce, a pdf I crafted for a custom system I did a while back.
Comment #5
Simon Georges CreditAttribution: Simon Georges commentedValidation could appear on the "contextual filter" side (adding a default current user contextual filter that would render a page not found for every invoice of others users), don't you think?