Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Granting a role permission to Access the products overview page
does not allow the user to view the Product Type
field, which they expect to be able to see.
To view the Product Type
field, the role must be granted the Administer product types
permission. This is very undesirable for a user tasked with simple product creation and management.
Comment | File | Size | Author |
---|---|---|---|
#15 | interdiff-2949235-14-15-do-not-test.diff | 6.07 KB | lisastreeter |
#15 | 2949235-15-bundle-access.patch | 8.25 KB | lisastreeter |
| |||
#14 | 2949235-14-bundle-access.patch | 2.05 KB | bojanz |
|
Comments
Comment #2
joachim CreditAttribution: joachim commentedThe fix for this is probably to cover the 'view label' access operation in the product type entity.
Comment #3
John Pitcairn CreditAttribution: John Pitcairn commentedHmm ... yeah, I can override it with the appropriate access hook, but the operation needed there is "view".
Comment #4
joachim CreditAttribution: joachim commentedThere's a setting in the entity type's access handler that controls whether there is also a 'view label' op. Eg, look in the User entity.
Comment #5
agoradesign CreditAttribution: agoradesign commentedafaik that was introduced in Drupal 8.4 (or 8.3?)... we have some custom entity types, we are commonly using. As I'm rarely logged in without admin rights, I haven't mentioned for quite a while, that the labels are no longer showing up as they used before... I implemented an access control handler for my entity type, setting the "view" and "view label" permission (dunno why I needed both)....
I think, Commerce (or Entity API) should add a base access control handler for entity types, that will be used throughout the module
Comment #6
John Pitcairn CreditAttribution: John Pitcairn commentedUmm …so basically this is a regression for Commerce products?
Comment #7
drugan CreditAttribution: drugan as a volunteer commentedThe possible fix:
https://github.com/drugan/commerce_multistore/blob/master/src/Multistore...
Comment #8
joachim CreditAttribution: joachim as a volunteer commentedWhat I was thinking of is this:
Comment #9
bojanz CreditAttribution: bojanz at Centarro commentedComment #10
zenimagine CreditAttribution: zenimagine commentedThis problem also affects the type of store and the type of profile.
Comment #11
joachim CreditAttribution: joachim commentedRetitling this, as it's not the product type field that is blocking access, it's the entity that is referenced there that is preventing its label from being seen.
This affects at least:
- product types
- profile types
- order types
- stores
For example, on my site I have a role that is for users whose sole task is to ship orders. They only need to see the order admin list and then view an order to see what products are in it, and then change its state to complete.
But at /admin/commerce/orders, or indeed any view of orders I might build for them, they can't see the order type or the store.
The fix is that all these entity types need a custom access handler which sets $viewLabelOperation to TRUE, and then to expose a 'view label' permission.
Comment #12
bojanz CreditAttribution: bojanz at Centarro commentedAdded an access control handler to entity api: #2943571: Provide a BundleEntityAccessControlHandler with support for the "view label" operation.
Here we need to update our bundle entity types to use the new handler.
Comment #13
bojanz CreditAttribution: bojanz at Centarro commentedRetitling. We're going to focus this issue on the bundle entity types only, because stores already have a "view" permission that can be granted to users.
Comment #14
bojanz CreditAttribution: bojanz at Centarro commentedAn Entity API release will happen soon, but until it does, we need to test with -dev.
We need test coverage that confirms the /admin/commerce/products view works properly with just "access commerce_product overview" and that the product type labels are shown.
Comment #15
lisastreeter CreditAttribution: lisastreeter at Centarro commentedAdded test coverage for the "access commerce_product overview" permission and /admin/commerce/products view.
Comment #17
bojanz CreditAttribution: bojanz at Centarro commentedEntity API now has a beta4, tweaked the constraint, and committed the patch. Thanks, everyone.