Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hello!
Users in my website can view list of his orders on User profile page.
I added permission "view own order" for authorised users. I render commerce_order entity with "customer" view mode through Panels.
But when user opens his order, he sees link to "admin/commerce/orders" page. If he click by this link, he sees 403.
I searched reason of this problem - it is function commerce_order_ui_order_uri().
We check "view" permission for user and add link to admin page.
Comment | File | Size | Author |
---|---|---|---|
#2 | commerce-check_access_for_order_page-2617784-1.patch | 645 bytes | mikhailkrainiuk |
Comments
Comment #2
mikhailkrainiuk CreditAttribution: mikhailkrainiuk at DrupalJedi commentedI propose check access with "access callback" from "admin/commerce/orders" page, because we render link to this page.
Could you please see patch?
Thank you.
Comment #3
rszrama CreditAttribution: rszrama at Centarro commentedHmm, I've never seen this on the normal order view page for non-authorized users. Is this because you're using Panels to display the local action link(s)?
Comment #4
mikhailkrainiuk CreditAttribution: mikhailkrainiuk at DrupalJedi commentedWhy non-authorized users? Users are logged in, but they haven't got access to administer pages.
My actions:
I added panel with URL "user/%user/history/%commerce_order"
I open "Arguments" section of panel and set "%commerce_order" as "Commerce Order: ID"
I open "Content" section of Panel variant and add new panel pane "Rendered Commerce order" from "Entity" group.
Comment #5
mikhailkrainiuk CreditAttribution: mikhailkrainiuk at DrupalJedi commentedAny news?
Comment #6
rszrama CreditAttribution: rszrama at Centarro commentedOk, the issue was I didn't have enough information from your post to piece it together. I finally discovered it's the rendered entity label that Panels automatically links to its entity page. I disagree with that behavior - seems rather aggressive of Panels to randomly link things like that.
However, you're right in that the proper URI isn't chosen for customer views. I'm researching it now to see if your change is all that's required, but I wonder too if we might have a fallback to point to the normal customer view URL in the event the admin URL is inaccessible.