If a user is granted "Edit any order", the delete link in the operations dropdown is still accessible. This is because the first access argument for $items['admin/commerce/orders/%commerce_order/delete'] is "update" instead of "delete".

I have a patch ready to submit. In the meantime, this code can be implemented in any module to fix the issue:

/**
 * Implements hook_menu_alter().
 */
function MODULE_menu_alter(&$items) {
  // Change access argument from update to delete.
  $items['admin/commerce/orders/%commerce_order/delete']['access arguments'] = array('delete', 3);
}
CommentFileSizeAuthor
#1 wrong_access_argument_passed_to_order_delete_operations_link-2217899-2.patch610 bytestonylegrone
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

tonylegrone’s picture

tonylegrone CreditAttribution: tonylegrone commented
FileSize
wrong_access_argument_passed_to_order_delete_operations_link-2217899-2.patch610 bytes
tonylegrone’s picture

tonylegrone CreditAttribution: tonylegrone commented
Status: Active » Needs review
rszrama’s picture

rszrama CreditAttribution: rszrama commented

Are you sure this has the effect you want? We don't actually differentiate between "update" and "delete" when performing access checks, at least in core. There is no separate edit vs. delete permission, delete being considered just another form of editing.

tonylegrone’s picture

tonylegrone CreditAttribution: tonylegrone commented

I see. I didn't actually realize that there was no delete permission because we usually give our clients the administer order permission. This came up because we have one client with staff they need to be allowed to edit certain orders, but not delete them.

Since this appears to be a rare case. I guess the hook_menu_alter() in a custom module is the best way to handle it when needed.

juanramonperez’s picture

juanramonperez CreditAttribution: juanramonperez commented
Status: Needs review » Reviewed & tested by the community

I'm trying to implement the hook_commerce_entity_access() and the option "delete" is not fired. So, I think that the correct way is passing the "delete" option in the argument.

/**
 * Implements hook_commerce_entity_access().
 */
function MYMODULE_commerce_entity_access($op, $entity, $account, $entity_type) {
  if($op == 'delete' && !user_access('administer site configuration')){  
    return FALSE;
  }
}

The patch works for me

rszrama’s picture

rszrama CreditAttribution: rszrama commented
Status: Reviewed & tested by the community » Fixed

Committed this fix and also updated the access arguments for the product delete form menu item. Customer and payment transaction menu items already used 'delete' instead of 'update'.

  • Commit a0e7c7f on 7.x-1.x authored by tonylegrone, committed by rszrama: 
    Issue #2217899 by tonylegrone: update the menu items for order and...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.