Granting a role permission to Access the products overview page does not allow the user to view the Product Type field, which they expect to be able to see.

To view the Product Type field, the role must be granted the Administer product types permission. This is very undesirable for a user tasked with simple product creation and management.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

John Pitcairn created an issue. See original summary.

joachim’s picture

The fix for this is probably to cover the 'view label' access operation in the product type entity.

John Pitcairn’s picture

Hmm ... yeah, I can override it with the appropriate access hook, but the operation needed there is "view".

/**
 * Implements hook_ENTITY_TYPE_access().
 */
function MYMODULE_commerce_product_type_access(ProductTypeInterface $product_type, $operation, AccountInterface $account) {
  if ($operation == 'view') {
    return AccessResult::allowedIf($account->hasPermission('access commerce_product overview'));
  }
}
joachim’s picture

There's a setting in the entity type's access handler that controls whether there is also a 'view label' op. Eg, look in the User entity.

agoradesign’s picture

afaik that was introduced in Drupal 8.4 (or 8.3?)... we have some custom entity types, we are commonly using. As I'm rarely logged in without admin rights, I haven't mentioned for quite a while, that the labels are no longer showing up as they used before... I implemented an access control handler for my entity type, setting the "view" and "view label" permission (dunno why I needed both)....

I think, Commerce (or Entity API) should add a base access control handler for entity types, that will be used throughout the module

John Pitcairn’s picture

Umm …so basically this is a regression for Commerce products?

drugan’s picture

joachim’s picture

What I was thinking of is this:

  /**
   * Allow access to user label.
   *
   * @var bool
   */
  protected $viewLabelOperation = TRUE;
bojanz’s picture

Title: Users with permission to access the products overview page are unable to view the product type field » The permission for viewing entity bundle fields (such as product type) is too strict
zenimagine’s picture

This problem also affects the type of store and the type of profile.

joachim’s picture

Title: The permission for viewing entity bundle fields (such as product type) is too strict » Various entity types need 'view label' access granularity

Retitling this, as it's not the product type field that is blocking access, it's the entity that is referenced there that is preventing its label from being seen.

This affects at least:

- product types
- profile types
- order types
- stores

For example, on my site I have a role that is for users whose sole task is to ship orders. They only need to see the order admin list and then view an order to see what products are in it, and then change its state to complete.

But at /admin/commerce/orders, or indeed any view of orders I might build for them, they can't see the order type or the store.

The fix is that all these entity types need a custom access handler which sets $viewLabelOperation to TRUE, and then to expose a 'view label' permission.

bojanz’s picture

Assigned: Unassigned » bojanz

Added an access control handler to entity api: #2943571: Provide a BundleEntityAccessControlHandler with support for the "view label" operation.

Here we need to update our bundle entity types to use the new handler.

bojanz’s picture

Title: Various entity types need 'view label' access granularity » Bundle entity types (product type, order type, etc) need to support the "view label" access check

Retitling. We're going to focus this issue on the bundle entity types only, because stores already have a "view" permission that can be granted to users.

bojanz’s picture

Status: Active » Needs review
FileSize
2.05 KB

An Entity API release will happen soon, but until it does, we need to test with -dev.

We need test coverage that confirms the /admin/commerce/products view works properly with just "access commerce_product overview" and that the product type labels are shown.

lisastreeter’s picture

Added test coverage for the "access commerce_product overview" permission and /admin/commerce/products view.

  • bojanz committed 65345a8 on 8.x-2.x authored by lisastreeter
    Issue #2949235 by lisastreeter, bojanz: Bundle entity types (product...
bojanz’s picture

Status: Needs review » Fixed

Entity API now has a beta4, tweaked the constraint, and committed the patch. Thanks, everyone.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.