After installing the modules, I took the following steps and was able to create a product in another Merchant users store.

Upon installing the Marketplace modules:

  1. Create two new users, Merchant1, and Merchant2, both with Merchant permissions
  2. Login as Merchant1 and create a new Store 'Merchant 1 Store'
  3. Login as Merchant2 and create a new store 'Merchant 2 Store'
  4. Still logged in as Merchant2, create a product but Type 'Merchant 1 Store' into the Store field. The auto fill will find the Merchant 1 Store
  5. Click Save and the system will add the new product to the Merchant 1 Store

Actual outcome of your steps: This is NOT desirable and I believe there needs to be an extra permission stopping one Merchant/User from Adding Products to another Users Store. The current outcome is that a product is added into the other users Store.

Desired outcome of the steps: The system should stop Merchant2 from adding products to Merchant1's store.

Comments

maciej.zgadzaj’s picture

maciej.zgadzaj CreditAttribution: maciej.zgadzaj commented

A quick update on this - the easiest way to "fix" it is to disable the View any store of any type permission (enabled by default) for anonymous and authenticated users (including merchant role). This will give users access only to these store entities they have created themselves.

I have enabled this permission by default planning on having some kind of public store pages in the future, listing store products etc, but as it's not the case yet it could be easily disabled.

dsearle’s picture

dsearle CreditAttribution: dsearle commented

Thanks for explaining this. I now have the desired behaviour with the various roles assigned to the users of the site. Cheers!

  • 35fb8f6 committed on 7.x-1.x 
    Issue #2306285: Merchant User able to create product in other Merchant's...
maciej.zgadzaj’s picture

maciej.zgadzaj CreditAttribution: maciej.zgadzaj commented
Status: Active » Fixed

For the moment this has been fixed in 35fb8f6 - the View any store of any type permission permission is no longer granted to anonymous and authenticated user when the commerce_store module is being installed.

This means that for all those who already have this module installed, they need to remove this permission manually in backoffice.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

hedel’s picture

hedel CreditAttribution: hedel commented
Status: Closed (fixed) » Active

@Maciej, I'm sorry I reopen this issue, but the proposed solution create another problem.
If the permission 'View any store of any type permission' is removed, the users can't see them orders in user/%/orders