I'm using the order coupon list on a customized form for admins to create orders. When using the remove links on the order coupon list view as a user other than the user to whom the order belongs, we get access denied since it fails the commerce_checkout_access test even on UID 1.

I propose adding an additional permission check that tests whether the user has edit access to the order when checking access for whether a user can remove a coupon from an order.

CommentFileSizeAuthor
commerce-coupon-admin-remove-permissions.patch814 bytesfearlsgroove
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

fearlsgroove created an issue. See original summary.

mdupree’s picture

mdupree CreditAttribution: mdupree as a volunteer and at Acro Commerce commented

@fearlsgroove Can you give more explanation on how someone could replicate this to test your fix? patch is simple enough, but I'd like to see how this works in site.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
CreditAttribution: mglaman at Centarro commented
Status: Needs review » Needs work

I won't commit this without tests.

Please provide a test that replicates the error you're seeing (so the test should fail.) Then attach your fix.