Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'm using the order coupon list on a customized form for admins to create orders. When using the remove links on the order coupon list view as a user other than the user to whom the order belongs, we get access denied since it fails the commerce_checkout_access test even on UID 1.
I propose adding an additional permission check that tests whether the user has edit access to the order when checking access for whether a user can remove a coupon from an order.
Comment | File | Size | Author |
---|---|---|---|
commerce-coupon-admin-remove-permissions.patch | 814 bytes | fearlsgroove | |
Comments
Comment #2
mdupree CreditAttribution: mdupree as a volunteer and at Acro Commerce commented@fearlsgroove Can you give more explanation on how someone could replicate this to test your fix? patch is simple enough, but I'd like to see how this works in site.
Comment #3
mglamanI won't commit this without tests.
Please provide a test that replicates the error you're seeing (so the test should fail.) Then attach your fix.