- π¨πSwitzerland megadesk3000
The patch in 33 has a problem together with drupal 10.1 since the line
$store_ids = \Drupal::entityTypeManager()->getStorage('commerce_store')->getQuery()->condition('uid', $account->id())->accessCheck()->execute();
is missing the mandatory access check.I add a patch that fixes that.
- π¨πSwitzerland megadesk3000
Found another missing access check in the original patch and fixed it.
I think this should be done using π± [Meta, Plan] Pitch-Burgh: Policy based access in core Active .
The description of the Flexible permissions β module mentions twice this case, permissions for Commerce stores- πΊπΈUnited States bradhawkins
I ran into some issues with patches 30-34. The patches caused an "InvalidQueryException" error whenever a non-store owner (i.e. a regular user) tried to access their orders via JSON API.
Here's an example of the error produced:
Drupal\Core\Database\InvalidQueryException: Query condition 'commerce_order_2.store_id IN ()' cannot be empty. in Drupal\Core\Database\Query\Condition->condition() (line 117 of /app/web/core/lib/Drupal/Core/Database/Query/Condition.php).I've updated patch 34 to include some if statements to check if $store_ids is empty before continuing.