Hi to all,
i've recently upgraded the versione of the commerce module, and i'm getting a strange problem.

I have a couple of users that can manage the store and view/edit the orders.
After the upgrade those users cant view the order page (admin/commerce/orders/[order-number]) because the access is denied also if the permissions are well setted.

The strange thing is also that they can edit the order(admin/commerce/orders/[order-number]/edit).

Any idea why this is appening or how can i backtrace this problem?

Thanks to all

Comments

rszrama’s picture

rszrama CreditAttribution: rszrama commented
Status: Active » Closed (fixed)

Just take a look at the permissions in the View. I think I remember us changing the specific permission used or something, so you can check it out and compare it against the permissions you've granted to your users.

andrea.cavattoni’s picture

andrea.cavattoni CreditAttribution: andrea.cavattoni commented
Status: Closed (fixed) » Active

Sorry but there is no views of the order page, is a rendered entity.
If there is where can i find it?

I changed the "commerce_order_access" function returning true always, but i cant see the order anyway.

Also the path "/admin/commerce/" return a 403, i've tried out the module "access denied backtrace" but it says that "there is no explicit access denied for this user" in the page.
I've also placed a watchdog in the "commerce_order_access" and in the "commerce_entity_access" function but both are not executed with the test user (with the admin user it works).

Any idea?

andrea.cavattoni’s picture

andrea.cavattoni CreditAttribution: andrea.cavattoni commented

Finally i've solved the problem backtracing the 403 to this function "commerce_order_admin_order_view_access".

It seems that it gets a 403 because i've not setted the permissions for "administration help" (user_access('access administration pages')).

rszrama’s picture

rszrama CreditAttribution: rszrama commented
Status: Active » Closed (works as designed)

Ok, that's the permission we've always used. There's another open issue to change this to a custom permission somewhere.

Lukas von Blarer’s picture

Lukas von Blarer
he/him
CreditAttribution: Lukas von Blarer commented
Status: Closed (works as designed) » Active

But this is not a permission I want to give to the customers... This gives access to some other URLs. This used to work before. Is there something else I could do except giving this permission?

Lukas von Blarer’s picture

Lukas von Blarer
he/him
CreditAttribution: Lukas von Blarer commented
Status: Active » Closed (works as designed)

Sorry, didn't mean to change the status...

rszrama’s picture

rszrama CreditAttribution: rszrama commented

Can't you just edit the View to set it to what you want?

Lukas von Blarer’s picture

Lukas von Blarer
he/him
CreditAttribution: Lukas von Blarer commented

Yes, you are right. But there is no other path orders can be access, right? Removing admin/ gives a 404.