Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If a user can see user/UID/orders/OID, then they also have access to admin/commerce/orders/OID/view.
This isn't apparent, as there's no link from one to the other.
But it means that fixing #1665540: join up user order view and admin order view for admins -- which would add that link -- can't rely on menu item access.
Comments
Comment #1
rszrama CreditAttribution: rszrama commentedI have two quick thoughts on how to fix this. Wondering which you think is better:
Comment #2
joachim CreditAttribution: joachim commented1 makes the most sense to me, as there may be store admins who need to be able to see orders but not make changes. Also, requiring "access administration pages" is fairly standard for anything under '/admin'. (In fact, I thought it was always required under '/admin'?)
Comment #3
rszrama CreditAttribution: rszrama commentedApparently not. Might be worth doing the same check for all of our other admin pages.
Comment #4
rszrama CreditAttribution: rszrama commentedAlrighty, I added a new access callback to govern admin order page access. Decided against modifying the existing access function for the customer view to keep this from being an API breaking change.
Commit: http://drupalcode.org/project/commerce.git/commitdiff/212b07f