Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Since #3174306: Viewing shipments requires the "administer commerce_shipment" permission, it's possible to view shipments via JSONAPI if the current customer is able to view order referencing the shipment.
I believe we should also allow updates.
The only potential problem is allowing to update fields that are supposedly "protected" such as the shipping service, method, and amount which shouldn't be set directly.
Applying a rate using Commerce API for example is done by patching the order.
Comment | File | Size | Author |
---|---|---|---|
#9 | 3245754-9.patch | 771 bytes | jsacksick |
#6 | 3245754-6.patch | 8.21 KB | jsacksick |
|
Comments
Comment #2
jsacksick CreditAttribution: jsacksick commentedSo the shipment access control handler logic was copied from commerce_product (i.e view access is determined by the parent order), otherwise the "manage" permission is checked.
It's not really logical to me that granting the "manage $bundle commerce_shipment" permission gives you the ability to update/delete any shipment, but doesn't let you view them...
I added field access logic that applies only to JSON API routes, that forbids the update of the following fields:
Updating the shipping service / shipping method should be done from the order resources when the shipping is used in combination with Commerce API.
Comment #3
jsacksick CreditAttribution: jsacksick commentedComment #4
jsacksick CreditAttribution: jsacksick commentedBetter with the actual FieldAccess class.
Comment #6
jsacksick CreditAttribution: jsacksick commentedComment #8
jsacksick CreditAttribution: jsacksick commentedCommitted!
Comment #9
jsacksick CreditAttribution: jsacksick commentedBummer, made a mistake with the route check... JSON API routes have a flag at the "default" level, not at the requirement level.