Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I have user account with permission to view and edit orders information. But without permission "administer users".
But on page of order's edit this user can create new customers.
My proposal is to restrict this functionality by permission "administer users" or by another permission.
Here is my patch which only hides this button depanding on permission "administer users":
Index: uc_order.order_pane.inc
===================================================================
--- uc_order.order_pane.inc (revision 14780)
+++ uc_order.order_pane.inc (working copy)
@@ -192,6 +192,8 @@
* Handle the "Customer Info" order pane.
*/
function uc_order_pane_customer($op, $arg1) {
+ global $user;
+
switch ($op) {
case 'view':
$output = t('Customer number: !user_link', array('!user_link' => $arg1->uid ? l($arg1->uid, 'user/'. $arg1->uid) : '0'))
@@ -237,10 +239,12 @@
.'/images/order_view.gif" alt="'. t('Search for an existing customer.') .'" '
.'title="'. t('Search for an existing customer.') .'" onclick="load_customer_search();" '
.'style="position: relative; top: 2px; cursor: pointer;" />';
- $output .= ' <img src="'. base_path() . drupal_get_path('module', 'uc_store')
- .'/images/menu_customers_small.gif" alt="'. t('Create a new customer.') .'" '
- .'title="'. t('Create a new customer.') .'" onclick="load_new_customer_form();" '
- .'style="position: relative; top: 2px; cursor: pointer;" />';
+ if (user_access('administer users', $user)) {
+ $output .= ' <img src="'. base_path() . drupal_get_path('module', 'uc_store')
+ .'/images/menu_customers_small.gif" alt="'. t('Create a new customer.') .'" '
+ .'title="'. t('Create a new customer.') .'" onclick="load_new_customer_form();" '
+ .'style="position: relative; top: 2px; cursor: pointer;" />';
+ }
return $output;
case 'edit-theme':
Comments
Comment #1
TR CreditAttribution: TR commentedPlease put this into the form of a patch. See http://drupal.org/patch/submit
Comment #2
bzzz CreditAttribution: bzzz commentedFile attachment is not working here...
Comment #3
DuaelFrThere is the same issue in the admin/store/orders/create page on the 7.x version.
Seeking in the uc_order.module file we can see that it is the "edit orders" right which restrict user to select or create a new customer.
We could use here the "view customers" access right from uc_store and we should create a new "edit customers" access right to keep admin abilities under better control.
Comment #4
TR CreditAttribution: TR commentedNew features should go into 7.x-3.x first.
Comment #5
TR CreditAttribution: TR commented