Permission "Access orders with own products" or allow 'view' override on commerce_entity_access()

Since it's been over a year now, I'm hoping you found a way around your issue. However, I'm going to close it "works as designed" because commerce_entity_access() is in fact extensible for the 'view' operation. There isn't a direct hook - rather you have two options:

1. Use Drupal's query altering, which can work by tag. Since an access query for an Order will be tagged with commerce_order_access, you can implement hook_query_TAG_alter() and add an additional condition to the OR group that would allow the access query to return 1 (i.e. access granted) for your condition.
2. Use hook_commerce_entity_access_condition_commerce_order_alter(). This one's a bit more direct in that you can directly append conditions to the OR group used to determine a user's access to view an order. If any of the conditions in the OR group evaluate to TRUE, access will be granted.

In your case, I'd probably run a query in the hook function to find the uids of the products on the order and then add a condition that checked to see if the current user's uid is in the group of uids. Or you could even more simply do that evaluation in PHP and put a 1 = 1 condition into the query directly.

For an example, check out the Cart module's implementation: commerce_cart_commerce_entity_access_condition_commerce_order_alter()

@rszrama - I have the same issue of allowing different product owners to view their product orders. I'm not sure how to implement your suggestion, can you please explain further? Thanks.

Sorry, there's not really much more for me to say here without sitting down to write the code myself. If you aren't a developer, you might also try just building a custom interface via Views where you bypass access control query altering and just ensure you aren't exposing sensitive data to the wrong users.

clarification

One thing of note. Be sure to consider the permission of line items, if there are line items relationships or fields included in your order. This gave me a good run around before I sorted out why orders weren't showing for users once I altered the permissions.

Hi,
I understand what Ryan is saying in #4.
In the view-settings under "other", you can change this setting in the query settings: "Disable SQL rewriting"
=> by doing this, you bypass all permissons

In my case, I first disabled all permissons for users to view orders and just created a custom view that displays the necessary information about the user his orders.

Good solution for me for now without writing custom code.

Thanks

+1 on this, has this been ever solved with proper code or hook??

I wrote a blog post that attempts to explain how I think hook_query_TAG_alter can be used to modify line item access control. I hope it helps someone else who might be banging their head against this question! Better yet, someone might explain what I might be doing wrong.

Hello @maxplus Did you use an contextual filters or to achieve this, which values did you pass to know the user? am using drupal 7.

I need the same functionality, Every product owners to see their orders.

any response will be highly appreciated.

Using Drupal 10.2.3 and Commerce 8.x-2.38 I am still not able to let users see only orders on their own products.