Hi, we check if have access to update rather than to delete.

    if (!commerce_customer_profile_access('update', $profile)) {

Regards!

CommentFileSizeAuthor
Fix_commerce_customer_handler_field_customer_profile_link_delete-Commerce_Customer.patch850 bytesfacine

Comments

facine’s picture

facine commented
Status: Active » Needs review

Update status!

rszrama’s picture

rszrama commented
Title: Fix customer profile link delete field handler » Fix entity delete link Views field handlers to use delete access check
Category: Bug report » Task
Priority: Major » Normal
Issue summary: View changes
Status: Needs review » Needs work

I'm going to update the access checks in all of our delete link Views field handlers, but from a functionality standpoint, there actually is no bug here. The function that ultimately gets called treats "edit" and "delete" the same, since we don't separate out delete permission from update permission. For that matter, it would've worked fine if the access check was for "carrot", which is pretty silly. Fortunately, I just updated an old issue to become a feature request to resolve this in 2.x. ; )

rszrama’s picture

rszrama commented
Status: Needs work » Fixed

Turns out it was just customer profiles and orders. Thanks for the fix!

Commit: http://drupalcode.org/project/commerce.git/commitdiff/02a3a5c

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Status: Closed (fixed) » Needs work

The last submitted patch, Fix_commerce_customer_handler_field_customer_profile_link_delete-Commerce_Customer.patch, failed testing.

rszrama’s picture

rszrama commented
Status: Needs work » Closed (fixed)