Contrib.social

Unpublished variation access

Open on Drupal.org →
Created on 27 August 2020, about 4 years ago
Updated 12 September 2024, 4 days ago

Problem/Motivation

Product variation access is checked against the product it belongs to with a bypass for users with the admin permission administer commerce_product, yet the test wether the variation is published or not is not covered by the ProductVariationAccessControlHandler and rely on classes loading variations (Product or ProductVariationStorage for example).

This rises multiple concerns:
- Third-party integration may give access to unpublished variations if they do not test the variation status
- Checking at multiple levels if the variation is published may create duplicated lines of code
- Administrator may not access unpublished variation depending on the context

Proposed resolution

The access handler ProductVariationAccessControlHandler could check the product variation status to centralize the mechanism and allow users with the admin or manage permission to access the variation.

🐛 Bug report
Status

Needs review

Version

2.0

Component

Product

Created by

🇨🇭Switzerland Aerzas

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 12 months ago
    🇹🇭Thailand AlfTheCat

    This looks like a bug to me.

    Steps to reproduce:

    • Create a view with product variations
    • Unpublish a product variation shown in the view
    • Access the view as anonymous user and you will see that the unpublished variation shows up.

    In my case, the web store displays variations, not products. So this is a big problem.

  • First commit to issue fork.
  • Merge request !327Issue #3167716: Unpublished variation access → (Open) created by tgauges
  • Pipeline finished with Success
    13 days ago
    Total: 479s
    #272591
  • Status changed to Needs review 13 days ago
  • Comment 13 days ago
    🇩🇪Germany tgauges

    I created an issue fork with the existing patch applied. The tests seem fine. I'm currently in the process of testing the code in a project.

  • Pipeline finished with Failed
    12 days ago
    Total: 475s
    #273235
  • Comment 12 days ago
    🇩🇪Germany tgauges

    I tested the changes against version 2.37 of the module and it works as expected. One could argue that this is not really a bug and merging this change would amount to a breaking change. In this case this issue lends itself to version 3 of this module, but that is for the maintainer to decide.

  • Status changed to Needs work 4 days ago
  • Comment 4 days ago
    🇩🇪Germany Anybody Porta Westfalica

    @tgauges thank you, great work!

    Tests are failing and it looks related:
    Drupal\Tests\commerce_product\Kernel\ProductVariationStorage 0 passes 1 fails

  • Pipeline finished with Failed
    4 days ago
    Total: 497s
    #281270
  • Status changed to Needs review 4 days ago
  • Comment 4 days ago
    🇩🇪Germany tgauges

    I fixed the relevant test but now another unrelated (?) test is failing. Could you take a look at it?

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024