Separate delete permissions out of edit permissions

There is no way. I'm not entirely sure why we don't have the permissions other than that products owned by varying users isn't supported very well in Commerce 1.x. It's something that will need to be improved going forward, especially to support marketplace scenarios.

Does the 2x branch separate the edit and delete perms? As of 1.8, there is no way (in the UI) to give someone permission to edit a product without also giving permission to delete products. I don't need as much granularity as the original poster was seeking. I would just like to be able to assign edit perms without also allowing users to delete products. One single "delete products" perm (applicable to all product types) would do it for me.

Thank you

It does not right now, but I can't think of any reason not to support separate edit vs. delete permission. Core does this for content, so let's make this a feature request for 2.x.

I agree. I would very much like my client (shop owner) to be able to edit an order, but not to delete it. I thinks it's to dangerous. If a customer has made an order, that order can never be "un-made". It can be cancelled, but not deleted. Invoice numbers get lost and all that kind of things. Big feature request!

I also very much need to differentiate between edit order and delete order permissions.

Here's a patch that adds separate 'delete own' and 'delete any' permissions for each commerce entity type & bundle.

NB these permissions will now override the 'administer $entity_type entities' permission - this permission will now only be used in access checking when the operation is none of 'view', 'create', 'edit' or 'delete' (eg. accessing commerce admin views etc).

Seems that VBO doesn't respect the permission in it's bulk operations select list but if an operation is performed without permission it doesn't process any entities.

The patch in #7 is a start, but looks like it would also need per-bundle create and edit permissions, plus code in commerce_entity_access to check the new permissions if 'op' is delete.

However as I understand it, such a patch cannot ever be committed to commerce v1 because it would break all existing sites. Hence @rszrama postponed it. There is now a version setting for v2, so I hope I'm not out of order in bringing this back to life with the appropriate settings.

If you want a D7 solution in the meantime, you could patch commerce every time there is a new release. An alternative approach is to use hooks.

/**
 * Implements hook_permission().
 */
function XXX_permission() {
  $permissions = array();
  $permissions['delete products'] = array(
    'title' => t('Delete products'),
    'description' => t('Delete products where there is permission to edit.'),
  );
  
  return $permissions;
}

/**
 * Implements hook_commerce_entity_access().
 */
function XXX_commerce_entity_access($op, $entity, $account, $entity_type) {
  if ($op == 'delete') {
    if (!user_access('delete products', $account)) {
      return FALSE;
    }
  }
}

This should be simple enough to do. Just need to copy \Drupal\node\NodePermissions::nodeTypePermissions essentially.

PR: https://github.com/commerceguys/commerce/pull/273

Patch attached.

This needs work. Need to implement access control handler, like NodeAccessControlHandler.

I'll wrap this up over the weekend.

Postponing for #2633906: Integrate with Entity API

Do i understand this correctly - following entity api permissions there should be an 'access' annotation in Product (and potentially orders etc. also) pointing to an EntityAccessControlHandler? In which case does postponed mean this is just a time issue or are there dependencies that need to be resolved first?

The 7.x issue is now addressed in contrib: https://www.drupal.org/project/commerce_deletepermissions

For 2.x we have #2715273: Implement full permissions for every entity type. Marking this outdated, now.