When a custom access rules are implemented for product variations using hook_ENTITY_TYPE_access(), the product selection list of variations show up the variations even when do not pass access.

CommentFileSizeAuthor
#7 2741295-7.patch1.59 KBmglaman
#6 2741295-6.patch1.13 KBmglaman
#2 fix_access_check_of_variations-2741295.patch846 bytescitlacom

Comments

citlacom created an issue. See original summary.

citlacom’s picture

citlacom commented
StatusFileSize
new fix_access_check_of_variations-2741295.patch846 bytes
citlacom’s picture

citlacom commented
Status: Active » Needs review
bojanz’s picture

bojanz commented
Status: Needs review » Needs work

I'm fine with doing this filtering in loadEnabled(). Let's do it after the event is fired though, that way if the event ends up adding variations (which it shouldn't, but you never know), we are still access-covered.

We also need to expand ProductVariationStorageTest::testLoadEnabled() to test for this.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented
Assigned: Unassigned » mglaman

Updated based on #4.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented
Issue tags: +Needs tests
StatusFileSize
new 2741295-6.patch1.13 KB

Keeping at needs work because of tests.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented
Title: ProductVariationStorage::loadEnabled do not respect product variations access rules » ProductVariationStorage::loadEnabled, loadFromContext do not respect product variations access rules
StatusFileSize
new 2741295-7.patch1.59 KB

We need to check in loadFromContext as well that the variation from the URL query is allowed.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented

PR started https://github.com/drupalcommerce/commerce/pull/664. Still needs tests. Blocked by #2857837: Products and variations are bypassing access control

  • bojanz committed 2b88df4 on 8.x-2.x authored by mglaman 
    Issue #2741295 by mglaman, citlacom: ProductVariationStorage::...
bojanz’s picture

bojanz commented
Status: Needs work » Fixed

Thanks, everyone.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.