Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hm. Is it just me or is there sth. weird about the payment methods permissions? There seem to be permissions like "view any order" / "view own order" - but there are no permissions like "view any payment methods" / "view own payment methods". And when I'm logged in as any arbitray user and I enter a url like "/user//payment-methods" I can see any other user's payment methods and modules/payment/commerce_payment.routing.yml just says:
requirements: _user_is_logged_in
which I guess means, that it's only necessary to be logged in.
Comments
Comment #2
bojanz CreditAttribution: bojanz at Centarro commentedConfirmed.
Plan:
1) Add an "administer commerce_payment_method" permission.
2) Add a "manage own commerce_payment_method" permission.
3) Add a custom access control handler for the two permissions
4) Add a custom access check for the mentioned routes, using the two permissions
Comment #4
bojanz CreditAttribution: bojanz at Centarro commentedFixed. Thanks for reporting!