1) The admin views for stores and products need to use the "access $entity_type overview", not "administer $entity_type". This was already fixed for orders and carts.

2) Config entity types should not get an "overview permission".

3) Adding a product as an authenticated user with a "create own" permission doesn't allow variation creation. Same with order items. We need to create access control handlers for variations and order items that always return TRUE, thus relying on the parent access control (since these entities can't exist without the parent).

Comments

bojanz created an issue. See original summary.

bojanz’s picture

bojanz CreditAttribution: bojanz at Centarro commented
Title: Improve product permissions » Improve permissions
Issue summary: View changes

Expanding scope

bojanz’s picture

bojanz CreditAttribution: bojanz at Centarro commented
Assigned: Unassigned » bojanz
bojanz’s picture

bojanz CreditAttribution: bojanz at Centarro commented
Issue summary: View changes

The commit is becoming big, spinning off the product unpublished permission.

  • bojanz committed 9485fd3 on 8.x-2.x 
    Issue #2813331 by bojanz: Improve permissions

- Use the 'access...
bojanz’s picture

bojanz CreditAttribution: bojanz at Centarro commented
Status: Active » Fixed

Committed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.