Admins can't add profiles to another user's address book [#3086299]

As an admin when I go to another user's address book and I add a profile, the profile owner is set to me instead of the user whose address book I was on. I'm using Commerce 2.14 and Profile 1.0.0.

Here is my theory thus far. It seems to me that Commerce is not supplying a user in the way that Profile does on its user tabs. Here is how it was done in Profile. I wonder if a similar pattern should be followed here? If that's the case, I'd be happy to work on a patch. Thanks!

Comment	File	Size	Author
#6	3086299-6-allow-admin-to-add-profiles.patch	16.68 KB	bojanz
#6	8.x-2.x: PHP 7 & MySQL 5.5, D8.8 640 pass
#5	interdiff-4-5.txt	687 bytes	ericchew
#5	admin-address-book-3086299-5.patch	1.05 KB	ericchew
#5	8.x-2.x: PHP 7 & MySQL 5.5, D8.8 636 pass
#4	admin-address-book-3086299-4.patch	756 bytes	ericchew
#4	8.x-2.x: PHP 7 & MySQL 5.5, D8.8 632 pass, 2 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

7 October 2019 at 14:33

lkacenja created an issue. See original summary.

Comment #2

lkacenja

he/him

CreditAttribution: lkacenja at Morris Animal Foundation commented 7 October 2019 at 14:35

Issue summary:

View changes

Comment #3

lkacenja

he/him

CreditAttribution: lkacenja at Morris Animal Foundation commented 7 October 2019 at 15:11

Issue summary:

View changes

Comment #4

ericchew CreditAttribution: ericchew commented 30 January 2020 at 17:21

Status:

Active

» Needs review

File	Size
admin-address-book-3086299-4.patch	756 bytes
8.x-2.x: PHP 7 & MySQL 5.5, D8.8 632 pass, 2 fail

I ran into this issue today. This patch seems to fix it. Its kind of a workaround...it would take a lot of changes to replicate how Profile does it.

Comment #5

ericchew CreditAttribution: ericchew commented 30 January 2020 at 19:06

File	Size
admin-address-book-3086299-5.patch	1.05 KB
8.x-2.x: PHP 7 & MySQL 5.5, D8.8 636 pass
interdiff-4-5.txt	687 bytes

1 file was hidden/shown/deleted

File	Size
admin-address-book-3086299-4.patch	756 bytes
8.x-2.x: PHP 7 & MySQL 5.5, D8.8 632 pass, 2 fail

For some reason my previous patch did not have the proper 'use' statements that it needed.

Comment #6

bojanz CreditAttribution: bojanz at Centarro commented 27 February 2020 at 23:57

File	Size
3086299-6-allow-admin-to-add-profiles.patch	16.68 KB
8.x-2.x: PHP 7 & MySQL 5.5, D8.8 640 pass

Here's the full logic ported over from the Profile module, along with test coverage.

Contains the same security hardenings as Profile 1.1.

Comment #7

28 February 2020 at 00:12

bojanz committed bb2d092 on 8.x-2.x

Issue #3086299 by ericchew, bojanz: Admins can't add profiles to another...

Comment #8

bojanz CreditAttribution: bojanz at Centarro commented 28 February 2020 at 00:12

Status:

Needs review

» Fixed

Committed.

Comment #9

kristiaanvandeneynde

Dutch

Antwerp, Belgium

CreditAttribution: kristiaanvandeneynde at Factorial GmbH commented 10 March 2020 at 15:39

+++ b/modules/order/src/Controller/AddressBookController.php
@@ -117,14 +129,13 @@ class AddressBookController implements ContainerInjectionInterface {
-  public function overviewPage(RouteMatchInterface $route_match) {
-    $user = $route_match->getParameter('user');
+  public function overviewPage(UserInterface $user) {
     $profile_types = $this->addressBook->loadTypes();

This broke our code :(

I see what you're doing here but it was not BC and we had a custom class extending this one to override that specific method.

Comment #10

bojanz CreditAttribution: bojanz at Centarro commented 10 March 2020 at 17:13

Controllers are always @internal, no BC guarantees there.

Maybe we should mark them all final to prevent inheritance, forcing people to copy paste the entire class? It's more redundant but safer. Does mean you also keep all the bugs though. Personally find it better to crash people's overrides to let them know there is an important fix they need to copy over, but it's subjective.

Comment #11

kristiaanvandeneynde

Dutch

Antwerp, Belgium

CreditAttribution: kristiaanvandeneynde at Factorial GmbH commented 11 March 2020 at 10:25

I'm usually careful when extending internal code, but in this case the controller was not marked as @internal.

Maybe we should mark them all final to prevent inheritance, forcing people to copy paste the entire class?

Nah, that's just making people jump through hoops.

Controllers should be extendable because people might need to alter a title callback, an access check or page callback depending on their business logic. If you want to treat it as internal so you can make the changes you made here, I'd be fine with that too but would like to ask you to please mark the classes as @internal then :)

Comment #12

bojanz CreditAttribution: bojanz at Centarro commented 11 March 2020 at 13:11

Please open a followup for making that explicit (adding @internal to all controllers and forms). I believe there was a core issue on the same topic, might be useful to reference.Thanks!