When checking access permissions in commerce_addressbook_profile_options_access() only the permission for the specific bundle are checked (e.g. "Edit own Billing information customer profiles" and "Edit any Billing information customer profile"). It should also check for the permissions that provide access to all bundles (i.e. "Edit own customer profiles of any type" and "Edit any customer profile of any type") as well as the "Administer customer profiles" permission.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

BassistJimmyJam’s picture

Status: Active » Needs review
FileSize
1.1 KB

Attached patch adds missing permission checks.

bojanz’s picture

Title: Access callbacks need improvement » Missing permissions in commerce_addressbook_profile_options_access()

Committed an extended version with some additional cleanup that fixes admin access in other places as well:
http://drupalcode.org/project/commerce_addressbook.git/commitdiff/d85abb2

Thanks!

bojanz’s picture

Title: Missing permissions in commerce_addressbook_profile_options_access() » Access callbacks need improvement
Status: Needs review » Fixed

Retitling.

plopesc’s picture

Title: Missing permissions in commerce_addressbook_profile_options_access() » Access callbacks need improvement
Status: Fixed » Needs review
FileSize
1.36 KB

Hello I found a problem with access callbacks because I have not enbled the commerce addressbook for billing addresses, but enabled for shipping address.

Then on hook_menu, when calling to commerce_customer_profile_types() on line 53, first result is billing, and then, you pass is as argument for access callback in user/%user/addressbook page.

When I try to access to user/%user/addressbook, it checks if I enabled the billing addressbook, and I can't access to the page. However I can access to user/%user/addressbook/shipping. Moreover, the Address Book tab is not displayed in the user profile given that the user can't access to user/%user/addressbook.

I'm attaching a patch that improves that behavior, setting as MENU_DEFAULT_LOCAL_TASK the first enabled addressbook. Now, I can access to my shipping addressbook from the user profile page.

Thanks for this great module.

Regards

bojanz’s picture

Status: Needs review » Fixed

Good catch! Committed and pushed. Thanks.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.