Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I have a site where the "Redeem any coupon" and "Redeem any Discount coupon coupon" permissions are false for anonymous and authenticated users, and yet I can still redeem coupon codes as an anonymous user on the Checkout page.
We discovered that the permission is tested elsewhere in the code, if someone without the "redeem any coupon" permission tries to update the order status via the administration UI.
Comments
Comment #1
fonant CreditAttribution: fonant commentedComment #2
dpolant CreditAttribution: dpolant commentedI'm not able to reproduce this, although I can see a point of confusion insofar as the coupon entry form still displays regardless of whether the user can actually enter the coupons.
But if I turn redeem any/discount coupons off for my role and enter a code, it shows an error message when I try to redeem.
Comment #3
dpolant CreditAttribution: dpolant commentedI'm closing this one since it's been a while. Reopen if necessary.