The "access overview" permission is not used/respected

Needs functional test to verify bug then fix.

+++ b/modules/promotion/commerce_promotion.routing.yml
@@ -23,3 +23,11 @@ entity.commerce_promotion_coupon.generate_form:
+    _permission: 'access commerce_promotion overview+administer commerce_promotion'

I'm curious why we need to manually define this route and fix the permissions.

I want to look into the route provider as well to see what is up. This permission access commerce_promotion overview does not exist, as far as I know. Unless Drupal\commerce\EntityPermissionProvider is providing it (I don't think so?)

Thanks for the tests!

Discussed in Slack: we need to open an issue in the Entity API queue about the bug and add a # @todo Remove once :link resolved

There is nothing to do in Entity API, actually. It is providing the generally accepted permission of "overview". However, Drupal core does not support that type of permission granularity.

The route itself uses the admin permission

      $route = new Route($entity_type->getLinkTemplate('collection'));
      $route
        ->addDefaults([
          '_entity_list' => $entity_type->id(),
          '_title' => $label->getUntranslatedString(),
          '_title_arguments' => $label->getArguments(),
          '_title_context' => $label->getOption('context'),
        ])
        ->setRequirement('_permission', $admin_permission);

This means the permission bug is present on any entity collection overridden by a View. So we need to provide an overridden RouterProvider or keep the manual fix in the routing.yml.

Discussed with bojanz and agoradesign. It sounds like the way forward would still be a patch in Entity API. Entity API should have a route provider which respects the overview permission. It will need to check that the entity uses the EntityPermissionProvider handler and adds the overview permission alongside the admin permission.

This is blocked by #2951270: Core's generated collection routes do not support the provided "access overview" permission

I'm going to postpone this on the other issue. Just makes the issue queue easier to grok.

We should make the change in all of our entity types. Product attributes have the same problem (since they don't use a view), and others could easily trigger this if someone disables a shipped view.

We probably don't need a test, since we're relying on Entity API (and at one point core) to do the heavy lifting.

It's only for Order and Product. Product Attributes we only have the admin permission.

Retry on patch.

We definitely have the following permissions:
- Access the product attributes overview page
- Access the stores overview page

I'll go ahead and convert ProductAttribute and Store as well.

Fixed Store and ProductAttribute, updated the references to the PermissionProvider while I was at it (the Commerce one has been deprecated in 2.0 but was still used).