Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.In RulesUIController::overviewTable()
foreach ($entities as $id => $entity) {
if (user_access('bypass rules access') || $entity->access()) {
$rows[] = $this->overviewTableRow($conditions, $id, $entity, $options);
}
}
By the time this $entity->access() call meanders its way through to EntityDrupalWrapper::entityAccess(), its $entity_type has been set to "commerce_order" and $entity object itself is empty. This results in the permission "view any commerce order" controlling the display on the rules overview page, when the reaction rule is a payment method.
Changing the above code to
foreach ($entities as $id => $entity) {
$wrapper = entity_metadata_wrapper('rules_config', $entity);
if (user_access('bypass rules access') || $wrapper->access('view')) {
$rows[] = $this->overviewTableRow($conditions, $id, $entity, $options);
}
}
appears to put the overview page back under control of rules_config_access().
Comments
Comment #2
kjl CreditAttribution: kjl commentedComment #3
kjl CreditAttribution: kjl commentedI suppose this is more a consequence of commerce_payment making "event" part of the $conditions sent to overviewTable(), and this issue should be taken up in the commerce issue queue.
Closing.