Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Order uri callback returns the path to the orders admin page even if user doesn't have access to it.
Comment | File | Size | Author |
---|---|---|---|
#1 | order_uri_callback_prevent_access_denied-2321205-1.patch | 663 bytes | anrikun |
Comments
Comment #1
anrikun CreditAttribution: anrikun commentedComment #2
rszrama CreditAttribution: rszrama commentedTagging for http://contribkanban.com/#/board/commerce/7.x-1.x.
Comment #3
mglamanApplies and makes sense to check if user passes same access checks the menu path has before returning it.
Comment #4
rszrama CreditAttribution: rszrama at Centarro commentedAgreed. Compared against other entities in Commerce core and we're following a similar pattenr. Committing.
Comment #6
rszrama CreditAttribution: rszrama at Centarro commentedCommitted.