Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When checking access permissions in commerce_addressbook_profile_options_access() only the permission for the specific bundle are checked (e.g. "Edit own Billing information customer profiles" and "Edit any Billing information customer profile"). It should also check for the permissions that provide access to all bundles (i.e. "Edit own customer profiles of any type" and "Edit any customer profile of any type") as well as the "Administer customer profiles" permission.
Comment | File | Size | Author |
---|---|---|---|
#4 | access_policy-1508724-4.patch | 1.36 KB | plopesc |
#1 | options-access-missing-permissions-1508724-1.patch | 1.1 KB | BassistJimmyJam |
Comments
Comment #1
BassistJimmyJam CreditAttribution: BassistJimmyJam commentedAttached patch adds missing permission checks.
Comment #2
bojanz CreditAttribution: bojanz commentedCommitted an extended version with some additional cleanup that fixes admin access in other places as well:
http://drupalcode.org/project/commerce_addressbook.git/commitdiff/d85abb2
Thanks!
Comment #3
bojanz CreditAttribution: bojanz commentedRetitling.
Comment #4
plopescHello I found a problem with access callbacks because I have not enbled the commerce addressbook for billing addresses, but enabled for shipping address.
Then on hook_menu, when calling to commerce_customer_profile_types() on line 53, first result is billing, and then, you pass is as argument for access callback in user/%user/addressbook page.
When I try to access to user/%user/addressbook, it checks if I enabled the billing addressbook, and I can't access to the page. However I can access to user/%user/addressbook/shipping. Moreover, the Address Book tab is not displayed in the user profile given that the user can't access to user/%user/addressbook.
I'm attaching a patch that improves that behavior, setting as MENU_DEFAULT_LOCAL_TASK the first enabled addressbook. Now, I can access to my shipping addressbook from the user profile page.
Thanks for this great module.
Regards
Comment #5
bojanz CreditAttribution: bojanz commentedGood catch! Committed and pushed. Thanks.