If I understand correctly, there is no way to restrict access to only orders with products created by a user.
Because of this, we are kinda half way to a multistore. We can restrict access to view/edit 'own products' but ten we let the user access 'all orders' 'own orders' or 'no orders'. In a multistore user would have to have access only to orders which pertain to him as a seller and not be able to view orders for products of others.
1. Default permissions check does not allow for such a setup
2. commerce_entity_access() does not allow override on 'view' operation.
I can see how it could be difficult to decide on treating orders with products of multiple owners out of the box, so perhaps you could allow overriding of commerce_entity_access() also on view and this way enable a more fine grained access.
Comments
Comment #0.0
Maciej Lukianski CreditAttribution: Maciej Lukianski commentedsimple update
Comment #1
rszrama CreditAttribution: rszrama commentedSince it's been over a year now, I'm hoping you found a way around your issue. However, I'm going to close it "works as designed" because commerce_entity_access() is in fact extensible for the 'view' operation. There isn't a direct hook - rather you have two options:
In your case, I'd probably run a query in the hook function to find the uids of the products on the order and then add a condition that checked to see if the current user's uid is in the group of uids. Or you could even more simply do that evaluation in PHP and put a 1 = 1 condition into the query directly.
For an example, check out the Cart module's implementation: commerce_cart_commerce_entity_access_condition_commerce_order_alter()
Comment #2
Philben CreditAttribution: Philben commented@rszrama - I have the same issue of allowing different product owners to view their product orders. I'm not sure how to implement your suggestion, can you please explain further? Thanks.
Comment #3
Philben CreditAttribution: Philben commentedComment #4
rszrama CreditAttribution: rszrama commentedSorry, there's not really much more for me to say here without sitting down to write the code myself. If you aren't a developer, you might also try just building a custom interface via Views where you bypass access control query altering and just ensure you aren't exposing sensitive data to the wrong users.
Comment #4.0
rszrama CreditAttribution: rszrama commentedclarification
Comment #5
clevername CreditAttribution: clevername commentedOne thing of note. Be sure to consider the permission of line items, if there are line items relationships or fields included in your order. This gave me a good run around before I sorted out why orders weren't showing for users once I altered the permissions.
Comment #6
maxplus CreditAttribution: maxplus commentedHi,
I understand what Ryan is saying in #4.
In the view-settings under "other", you can change this setting in the query settings: "Disable SQL rewriting"
=> by doing this, you bypass all permissons
In my case, I first disabled all permissons for users to view orders and just created a custom view that displays the necessary information about the user his orders.
Good solution for me for now without writing custom code.
Thanks
Comment #7
boby_ui CreditAttribution: boby_ui as a volunteer commented+1 on this, has this been ever solved with proper code or hook??
Comment #8
boby_ui CreditAttribution: boby_ui as a volunteer commentedComment #9
spacetaxi CreditAttribution: spacetaxi commentedI wrote a blog post that attempts to explain how I think hook_query_TAG_alter can be used to modify line item access control. I hope it helps someone else who might be banging their head against this question! Better yet, someone might explain what I might be doing wrong.
Comment #10
mrcniceguy CreditAttribution: mrcniceguy commentedHello @maxplus Did you use an contextual filters or to achieve this, which values did you pass to know the user? am using drupal 7.
I need the same functionality, Every product owners to see their orders.
any response will be highly appreciated.
Comment #11
chikeUsing Drupal 10.2.3 and Commerce 8.x-2.38 I am still not able to let users see only orders on their own products.