I have a site where the "Redeem any coupon" and "Redeem any Discount coupon coupon" permissions are false for anonymous and authenticated users, and yet I can still redeem coupon codes as an anonymous user on the Checkout page.

We discovered that the permission is tested elsewhere in the code, if someone without the "redeem any coupon" permission tries to update the order status via the administration UI.

Comments

fonant’s picture

fonant CreditAttribution: fonant commented
Version: 7.x-2.0-beta3 » 7.x-2.x-dev
dpolant’s picture

dpolant CreditAttribution: dpolant commented
Status: Active » Postponed (maintainer needs more info)

I'm not able to reproduce this, although I can see a point of confusion insofar as the coupon entry form still displays regardless of whether the user can actually enter the coupons.

But if I turn redeem any/discount coupons off for my role and enter a code, it shows an error message when I try to redeem.

dpolant’s picture

dpolant CreditAttribution: dpolant commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

I'm closing this one since it's been a while. Reopen if necessary.