Order uri callback returns the path to the orders admin page even if user doesn't have access to it.

CommentFileSizeAuthor
#1 order_uri_callback_prevent_access_denied-2321205-1.patch663 bytesanrikun

Comments

anrikun’s picture

anrikun commented
Status: Active » Needs review
StatusFileSize
new order_uri_callback_prevent_access_denied-2321205-1.patch663 bytes
rszrama’s picture

rszrama commented
Issue tags: +sprint

Tagging for http://contribkanban.com/#/board/commerce/7.x-1.x.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented
Status: Needs review » Reviewed & tested by the community

Applies and makes sense to check if user passes same access checks the menu path has before returning it.

rszrama’s picture

rszrama commented

Agreed. Compared against other entities in Commerce core and we're following a similar pattenr. Committing.

  • rszrama committed 3d89816 on 7.x-1.x authored by anrikun 
    Issue #2321205 by anrikun, rszrama, mglaman: check the proper access...
rszrama’s picture

rszrama commented
Status: Reviewed & tested by the community » Fixed

Committed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.