Currently, because we initiate the access check by checking the permission, all users always have access to all order checkouts.

We need to fix the callback so that we properly decline access.

Comments

harings_rob created an issue. See original summary.

harings_rob’s picture

bojanz’s picture

The tests are great. Investigating why the order of the checks matters.

EDIT: Found it, we weren't assigning the result of $access->andIf() back to access, so the owner check was never returned.

  • bojanz committed 857f69d on 8.x-2.x authored by harings_rob
    Issue #2755101 by harings_rob: Anonymous users always have access to...
bojanz’s picture

Status: Needs review » Fixed

Boom :)

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.