Bug summary: Commerce.module provides a commerce profile entity type and a default bundle for billing information. Contributed modules like commerce_shipping can provide additional bundles. CRUD permissions for these bundles are configurable on the admin permissions page. However, these permissions are not enforced when commerce_customer renders the profile form on the applicable checkout pane.

Use case: I am using commerce_addressbook to allow a user to select from one of his existing profiles, or enter a new one. I'd like to disallow the user from editing the existing profiles (they are imported from an accounting system and have external keys attached to them) lest they think editing the address on file will result in an update to the external data source.

Steps to replicate: For a user with existing customer profiles on record, deselect all but "view own [bundle] customer profiles" permissions for the user's role. Expected behavior would be that the profile is visible/usable, but not editable. Instead, user is provided a form and edits are recorded to the database on submission.

Applicable code: http://drupalcode.org/project/commerce.git/blob/refs/heads/7.x-1.x:/modu...

Note: A permissions check in the above code would have to render an alternative to an editable form; that might be a form with all the applicable fields disabled, or (more likely) a rendered entity view of the profile.

Comments

Title:Customer Profile permissions not respected on checkout paneAllow a store to disable editing addresses selected via the addressbook widget
Project:Drupal Commerce» Commerce Addressbook
Component:Customer» Code
Category:bug» feature

Ahh, I see. I was only thinking about the Addressbook related forms in our discussion, not the checkout form itself. The checkout form is something of a special case form in that your access to this form for a particular order indicates your access to use any pane on the form. As the checkout form is really just a front-end facing order edit form, a parallel can be drawn to the back-end admin order edit form where access / updates to customer profiles are similarly determined by the administrator's access to view the customer profile reference field widgets.

I think in this case I'm going to make this a feature request of the Addressbook module, because the situation you're encountering isn't possible without that module. It wouldn't make sense for us to support a pre-populated address in core where pre-populated addresses aren't possible, but it seems it would make perfect sense for the Addressbook module to add a setting to disallow the editing of selected addresses.

Category:feature» bug

I think we have bug here.
I can edit a selected/existing address, even i have no permission to edit any customer profiles.
So i think we need to disable the address form elements is there are no edit permissions.

Status:Active» Needs review
StatusFileSize
new1.37 KB

here is a patch that use the profile edit permission for disabling the editing for no update permissions.

Status:Needs review» Fixed

Committed a different patch here => http://drupalcode.org/project/commerce_addressbook.git/blobdiff/5e47ba96...
The #disabled flag is set to TRUE when the user doesn't have the permission to update the profile.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

I know this is an old thread, but I'm running the latest dev and I am still able to make changes to the checkout form (and in turn, the database) without any edit permissions. One potential caveat: these are custom profiles created using Customer Profile Type UI. Should I expect the "disabled" flags to be set on the forms regardless of the profile type?