In the case where a user has the permission to view own entities but doesn't have the permission to view all entities commerce will sometimes try to perform access check but fail in granting access even when the user has access.

An example is a user viewing his own order, that is unable to see the line items of his own order, even though he is able to view his own order.

#2 1434730-2.patch1.82 KBgoogletorp
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es). View
#1 1434730.patch14.12 KBgoogletorp
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es). View
Members fund testing for the Drupal project. Drupal Association Learn more


googletorp’s picture

Status: Active » Needs review
14.12 KB
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es). View

The problem turned out to be a very simple line of code:

In the commerce_entity_access_query_alter function the base table for the query was found like this:

$tables = &$query->getTables();
$base_table = key($tables);

In some cases this went well, but in other cases this didn't work out as it should, as the table selected as the base table would not be the same as the table used for the entity. When doing stuff like

$conditions->condition($base_table . '.' . $entity_info['access arguments']['user key'], $account->uid);

The query could end up being 'commerce_line_item.uid = 2', since line items doesn't have uid the query will fail - but due to the nature of the query it doesn't generate a PDOException.

I have attached a patch that fixes this, you can also see this commit

googletorp’s picture

1.82 KB
PASSED: [[SimpleTest]]: [MySQL] 3,553 pass(es). View

Uploaded same patch, but without all the junk from Drupal's build system.

mossy2100’s picture

This didn't solve the problem for me.

googletorp’s picture

#3 Your comment isn't really of much help unless you state a test case where the permission check fails.

Fx when viewing an FOO and the user has permission BAR, BAZ isn't displayed.

googletorp’s picture

Issue tags: +1.3 review

Ryan mind if you look at this for 1.3 - I went and made a shameless tag :)

rcross’s picture

cvangysel’s picture

#2 was the solution I also had in mind ... can anyone give a use-case where this still fails?

rszrama’s picture

Priority: Major » Normal
Status: Needs review » Closed (duplicate)

I'm pretty sure this just got fixed as part of the patch in #1879260: More robust query altering for line items. Marking duplicate, but feel free to reopen if I've missed an edge case in here.