Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I created a new role assigning to it all and only all permissions under the 'Order' section, except for 'Configure order settings'.
An authenticated user with the above role can edit any order (e.g. /admin/commerce/orders/11/edit) but cannot view it (/admin/commerce/orders/11)! That causes access denied.
This behavior happens irrespective if the Order is his own or not.
| Comment | File | Size | Author |
|---|---|---|---|
| #1 | view_orders_perm-2067925-1.patch | 561 bytes | maxrossello |
Comments
Comment #1
maxrossello CreditAttribution: maxrossello commentedI found the problem being in commerce_order_admin_order_view_access(), which requires the 'access administration pages' permission in addition to calling commerce_order_access().
I find this weird since editing an order just requires commerce_order_access(). Furthermore, 'access administration pages' brings in more admin menus, such as the help pages, which are more suitable to a developer than an administrator.
Patch attached
Comment #2
rszrama CreditAttribution: rszrama commentedThis works as designed as far as the Order UI module is concerned; the order URL is defined as an administration page, so we made a decision a few releases back to start requiring this permission for the various administration interfaces we have.
Comment #3
brylie CreditAttribution: brylie commentedWow, this totally makes sense, and I was having the same problem. Is this documented?
Comment #4
valentin schmid CreditAttribution: valentin schmid commented