I could be overlooking something, but it seems like when user can download his own invoice as PDF he can do the same for EVERY invoice.

Tested setting the View's Access options to check 'permission' and as permission select Order->View Own orders of any type.

is this a bug or is this something we can configure?

Comments

silkogelman’s picture

Title: Security check for Commerce PDF Invoice » Permission to view PDF invoice
lsolesen’s picture

Title: Permission to view PDF invoice » Permission to view PDF invoice should be restricted
Category: support » bug

This should probably be handled by the module. However, it should be easy to configure in views - just choose the appropriate role under access.

silkogelman’s picture

Then my question is: how did you do it exactly?
Because if we give a person access to the View they get access to all the invoices (by changing the url).

I must say I haven't looked at this in months so if you have a solution that I am unaware of: please share.

lsolesen’s picture

Thought you could just change access to view own pdf's. However, maybe a new permission needs to be created. For the time being, I will rewrite my own custom PDF to use with commerce, a pdf I crafted for a custom system I did a while back.

Simon Georges’s picture

Validation could appear on the "contextual filter" side (adding a default current user contextual filter that would render a page not found for every invoice of others users), don't you think?