only in patch2:
unchanged:
--- a/modules/order/src/OrderItemAccessControlHandler.php
+++ b/modules/order/src/OrderItemAccessControlHandler.php
@@ -42,6 +42,10 @@ class OrderItemAccessControlHandler extends CoreEntityAccessControlHandler {
     else {
       $bundle = $entity->bundle();
       $result = AccessResult::allowedIfHasPermission($account, "manage $bundle commerce_order_item");
+      // For draft orders, grant access if the order item is not locked.
+      if ($order->getState()->getId() === 'draft') {
+        $result = $result->andIf(AccessResult::allowedIf(!$entity->isLocked()));
+      }
     }
 
     return $result;
only in patch2:
unchanged:
--- a/modules/order/tests/src/Kernel/OrderItemAccessTest.php
+++ b/modules/order/tests/src/Kernel/OrderItemAccessTest.php
@@ -65,6 +65,17 @@ class OrderItemAccessTest extends OrderKernelTestBase {
     $this->assertTrue($order_item->access('update', $account));
     $this->assertTrue($order_item->access('delete', $account));
 
+    // Test access for locked order items.
+    $order_item_access_handler = \Drupal::entityTypeManager()->getAccessControlHandler('commerce_order_item');
+    $order_item_access_handler->resetCache();
+    $order_item->lock();
+    $this->assertTrue($order_item->access('update', $account));
+    $this->assertTrue($order_item->access('delete', $account));
+    $order_item->getOrder()->set('state', 'draft');
+    $order_item_access_handler->resetCache();
+    $this->assertFalse($order_item->access('update', $account));
+    $this->assertFalse($order_item->access('delete', $account));
+
     $account = $this->createUser([], ['administer commerce_order']);
     $this->assertTrue($order_item->access('view', $account));
     $this->assertTrue($order_item->access('update', $account));