Hello!
Users in my website can view list of his orders on User profile page.
I added permission "view own order" for authorised users. I render commerce_order entity with "customer" view mode through Panels.
But when user opens his order, he sees link to "admin/commerce/orders" page. If he click by this link, he sees 403.
I searched reason of this problem - it is function commerce_order_ui_order_uri().
We check "view" permission for user and add link to admin page.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | commerce-check_access_for_order_page-2617784-1.patch | 645 bytes | mikhailkrainiuk |
Comments
Comment #2
mikhailkrainiuk commentedI propose check access with "access callback" from "admin/commerce/orders" page, because we render link to this page.
Could you please see patch?
Thank you.
Comment #3
rszrama commentedHmm, I've never seen this on the normal order view page for non-authorized users. Is this because you're using Panels to display the local action link(s)?
Comment #4
mikhailkrainiuk commentedWhy non-authorized users? Users are logged in, but they haven't got access to administer pages.
My actions:
I added panel with URL "user/%user/history/%commerce_order"
I open "Arguments" section of panel and set "%commerce_order" as "Commerce Order: ID"
I open "Content" section of Panel variant and add new panel pane "Rendered Commerce order" from "Entity" group.
Comment #5
mikhailkrainiuk commentedAny news?
Comment #6
rszrama commentedOk, the issue was I didn't have enough information from your post to piece it together. I finally discovered it's the rendered entity label that Panels automatically links to its entity page. I disagree with that behavior - seems rather aggressive of Panels to randomly link things like that.
However, you're right in that the proper URI isn't chosen for customer views. I'm researching it now to see if your change is all that's required, but I wonder too if we might have a fallback to point to the normal customer view URL in the event the admin URL is inaccessible.