Check access for order page [#2617784]

Hello!

Users in my website can view list of his orders on User profile page.
I added permission "view own order" for authorised users. I render commerce_order entity with "customer" view mode through Panels.

But when user opens his order, he sees link to "admin/commerce/orders" page. If he click by this link, he sees 403.
I searched reason of this problem - it is function commerce_order_ui_order_uri().
We check "view" permission for user and add link to admin page.

Comment	File	Size	Author
#2	commerce-check_access_for_order_page-2617784-1.patch	645 bytes	mikhailkrainiuk
#2

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

18 November 2015 at 06:08

kraynuk.m created an issue. See original summary.

Comment #2

mikhailkrainiuk CreditAttribution: mikhailkrainiuk at DrupalJedi commented 18 November 2015 at 06:11

Status:

Active

» Needs review

File	Size
commerce-check_access_for_order_page-2617784-1.patch	645 bytes

I propose check access with "access callback" from "admin/commerce/orders" page, because we render link to this page.
Could you please see patch?

Thank you.

Comment #3

rszrama CreditAttribution: rszrama at Centarro commented 18 November 2015 at 13:47

Category:

Bug report

» Task

Hmm, I've never seen this on the normal order view page for non-authorized users. Is this because you're using Panels to display the local action link(s)?

Comment #4

mikhailkrainiuk CreditAttribution: mikhailkrainiuk at DrupalJedi commented 19 November 2015 at 09:49

Why non-authorized users? Users are logged in, but they haven't got access to administer pages.

My actions:
I added panel with URL "user/%user/history/%commerce_order"
I open "Arguments" section of panel and set "%commerce_order" as "Commerce Order: ID"
I open "Content" section of Panel variant and add new panel pane "Rendered Commerce order" from "Entity" group.

Comment #5

mikhailkrainiuk CreditAttribution: mikhailkrainiuk at DrupalJedi commented 2 December 2015 at 05:16

Any news?

Comment #6

rszrama CreditAttribution: rszrama at Centarro commented 8 December 2015 at 16:11

Ok, the issue was I didn't have enough information from your post to piece it together. I finally discovered it's the rendered entity label that Panels automatically links to its entity page. I disagree with that behavior - seems rather aggressive of Panels to randomly link things like that.

However, you're right in that the proper URI isn't chosen for customer views. I'm researching it now to see if your change is all that's required, but I wonder too if we might have a fallback to point to the normal customer view URL in the event the admin URL is inaccessible.