I have user account with permission to view and edit orders information. But without permission "administer users".
But on page of order's edit this user can create new customers.
My proposal is to restrict this functionality by permission "administer users" or by another permission.

Here is my patch which only hides this button depanding on permission "administer users":

Index: uc_order.order_pane.inc
===================================================================
--- uc_order.order_pane.inc	(revision 14780)
+++ uc_order.order_pane.inc	(working copy)
@@ -192,6 +192,8 @@
  * Handle the "Customer Info" order pane.
  */
 function uc_order_pane_customer($op, $arg1) {
+  global $user;
+
   switch ($op) {
     case 'view':
       $output = t('Customer number: !user_link', array('!user_link' => $arg1->uid ? l($arg1->uid, 'user/'. $arg1->uid) : '0'))
@@ -237,10 +239,12 @@
                 .'/images/order_view.gif" alt="'. t('Search for an existing customer.') .'" '
                 .'title="'. t('Search for an existing customer.') .'" onclick="load_customer_search();" '
                 .'style="position: relative; top: 2px; cursor: pointer;" />';
-      $output .= ' <img src="'. base_path() . drupal_get_path('module', 'uc_store')
-                .'/images/menu_customers_small.gif" alt="'. t('Create a new customer.') .'" '
-                .'title="'. t('Create a new customer.') .'" onclick="load_new_customer_form();" '
-                .'style="position: relative; top: 2px; cursor: pointer;" />';
+      if (user_access('administer users', $user)) {
+        $output .= ' <img src="'. base_path() . drupal_get_path('module', 'uc_store')
+                  .'/images/menu_customers_small.gif" alt="'. t('Create a new customer.') .'" '
+                  .'title="'. t('Create a new customer.') .'" onclick="load_new_customer_form();" '
+                  .'style="position: relative; top: 2px; cursor: pointer;" />';
+      }
       return $output;
 
     case 'edit-theme':

Comments

TR’s picture

TR CreditAttribution: TR commented
Status: Active » Needs work

Please put this into the form of a patch. See http://drupal.org/patch/submit

bzzz’s picture

bzzz CreditAttribution: bzzz commented

File attachment is not working here...

DuaelFr’s picture

DuaelFr
he/him
Primary language French
Location Montpellier, France
CreditAttribution: DuaelFr commented

There is the same issue in the admin/store/orders/create page on the 7.x version.

Seeking in the uc_order.module file we can see that it is the "edit orders" right which restrict user to select or create a new customer.
We could use here the "view customers" access right from uc_store and we should create a new "edit customers" access right to keep admin abilities under better control.

TR’s picture

TR CreditAttribution: TR commented
Version: 6.x-2.2 » 7.x-3.x-dev

New features should go into 7.x-3.x first.

TR’s picture

TR CreditAttribution: TR commented
Version: 7.x-3.x-dev » 8.x-4.x-dev