Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If a user is granted "Edit any order", the delete link in the operations dropdown is still accessible. This is because the first access argument for $items['admin/commerce/orders/%commerce_order/delete'] is "update" instead of "delete".
I have a patch ready to submit. In the meantime, this code can be implemented in any module to fix the issue:
/**
* Implements hook_menu_alter().
*/
function MODULE_menu_alter(&$items) {
// Change access argument from update to delete.
$items['admin/commerce/orders/%commerce_order/delete']['access arguments'] = array('delete', 3);
}
Comment | File | Size | Author |
---|---|---|---|
#1 | wrong_access_argument_passed_to_order_delete_operations_link-2217899-2.patch | 610 bytes | tonylegrone |
Comments
Comment #1
tonylegrone CreditAttribution: tonylegrone commentedComment #2
tonylegrone CreditAttribution: tonylegrone commentedComment #3
rszrama CreditAttribution: rszrama commentedAre you sure this has the effect you want? We don't actually differentiate between "update" and "delete" when performing access checks, at least in core. There is no separate edit vs. delete permission, delete being considered just another form of editing.
Comment #4
tonylegrone CreditAttribution: tonylegrone commentedI see. I didn't actually realize that there was no delete permission because we usually give our clients the administer order permission. This came up because we have one client with staff they need to be allowed to edit certain orders, but not delete them.
Since this appears to be a rare case. I guess the hook_menu_alter() in a custom module is the best way to handle it when needed.
Comment #5
juanramonperez CreditAttribution: juanramonperez commentedI'm trying to implement the hook_commerce_entity_access() and the option "delete" is not fired. So, I think that the correct way is passing the "delete" option in the argument.
The patch works for me
Comment #6
rszrama CreditAttribution: rszrama commentedCommitted this fix and also updated the access arguments for the product delete form menu item. Customer and payment transaction menu items already used 'delete' instead of 'update'.