Discovered when trying to finish #2741295: ProductVariationStorage::loadEnabled, loadFromContext do not respect product variations access rules with a test.

/**
 * Implements hook_entity_access().
 */
function commerce_product_entity_access(EntityInterface $entity, $operation, $account) {
  // Allow published products to be viewed by all users for now.
  // @todo Remove once we implement the full product permissions.
  if ($operation == 'view') {
    if ($entity->getEntityTypeId() == 'commerce_product' && $entity->isPublished()) {
      return AccessResult::allowed();
    }
    elseif ($entity->getEntityTypeId() == 'commerce_product_variation' && $entity->isActive()) {
      return AccessResult::allowed();
    }
  }
  return AccessResult::neutral();
}

We never removed this when we committed the new acces handling.

Comments

mglaman created an issue. See original summary.

mglaman’s picture

mglaman
Primary language English
Location WI, USA
commented
Status: Active » Needs review

PR: https://github.com/drupalcommerce/commerce/pull/665

bojanz’s picture

bojanz commented
Status: Needs review » Closed (duplicate)

Merging into #2909973: Update Commerce for Entity API 8.x-1.0-beta1. The new Entity API release gave us unpublished permissions, we no longer need to add a custom permission provider and access control handler. I need to remove the workaround, copy hook_install() and the test.