We recommend Drupal session authentication and then use the normal Commerce entity access system to determine an API user's access to perform operations on our resources. However, just because a user has access to view a product doesn't mean the user should have access to an API endpoint that can return them the full JSON representation of the product. There is data in the full representation of an entity that a casual user might not otherwise have access to, so we should ensure that by enabling a resource the site isn't opening up all if its data to be read by any user.


marcus178’s picture

I think another reason for implementing this is at the moment I can't see a way for a anonymous user to be able to add a product to the cart. At the moment an anonymous user could only add a line item to the order if the permission Edit any order of any type was enabled for anonymous users which would obviously be a bad idea.

tyler.frankenstein’s picture

Status: Active » Needs review
910 bytes

Great module! I'm glad to see it has this much offered with it so far.

Here is a start to this issue with just a hook_permission() implementation. I didn't want to go too far down the wrong road here, so if this patch looks like it is headed in the right direction, I'll continue implementing it. @rszrama, please let me know if this is what you had in mind. If not, please share any alternatives thoughts, thanks!

P.S. The reason I started on this patch was a need for anonymous users to be able to create and modify the contents of a shopping cart. As @marcus178 mentioned, this currently requires the 'Create orders of any type' and 'Edit any order of any type' permissions, and that isn't very desirable.

torgosPizza’s picture

Issue summary: View changes

We're beginning work on our mobile stuff and this looks like the way to go. We also want people to at least add stuff to their cart without requiring authentication first (we ask for that at Checkout).

Thanks Tyler!

dzutaro’s picture

Now I am working on a mobile application that using line-item resource provided by Commerce Services module.

The problem is that a mobile application's user cannot add/remove line items to/from his order if he does not have Edit own orders or Edit own Order orders permissions.

It is because access callbacks of line-item/create and line-item/delete resources call a commerce_order_access() function to check user access.

So I made a patch that creates permissions for line-item resource and checks them where it is needed.