If a user can see user/UID/orders/OID, then they also have access to admin/commerce/orders/OID/view.

This isn't apparent, as there's no link from one to the other.

But it means that fixing #1665540: join up user order view and admin order view for admins -- which would add that link -- can't rely on menu item access.

Comments

rszrama’s picture

rszrama CreditAttribution: rszrama commented

I have two quick thoughts on how to fix this. Wondering which you think is better:

  1. Add an additional check for the permission "access administration pages."
  2. Swap the 'view' access check for an 'edit' access check on the order's admin view tab.

joachim’s picture

joachim CreditAttribution: joachim commented

1 makes the most sense to me, as there may be store admins who need to be able to see orders but not make changes. Also, requiring "access administration pages" is fairly standard for anything under '/admin'. (In fact, I thought it was always required under '/admin'?)

rszrama’s picture

rszrama CreditAttribution: rszrama commented

Apparently not. Might be worth doing the same check for all of our other admin pages.

rszrama’s picture

rszrama CreditAttribution: rszrama commented
Status: Active » Fixed

Alrighty, I added a new access callback to govern admin order page access. Decided against modifying the existing access function for the customer view to keep this from being an API breaking change.

Commit: http://drupalcode.org/project/commerce.git/commitdiff/212b07f

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.