Contrib.social

Problem in commerce/module/orders/src/Controller/AddressBookController.php

Open on Drupal.org →
Created on 31 December 2024, 26 days ago

Problem with checkCreateAccess in commerce/orders/AddressBookController.

There is a problem with the AddressBookController which causes access to be denied for creating address book entries unless the individual has 'administer profile' global permission even if they have permission to administer certain profile types. The problem is in the logic of line 298. What is currently "if ($result->isAllowed())" should be "if (!$result->isAllowed())". The comments are correct, but the logic is backwards.

    if ($result->isAllowed()) {
      // There is no create any/own permission, confirm that the account is
      // either an administrator, or they're creating a profile for themselves.
      $admin_permission = $this->entityTypeManager->getDefinition('profile')->getAdminPermission();
      $owner_result = AccessResult::allowedIfHasPermission($account, $admin_permission)
        ->orIf(AccessResult::allowedIf($account->id() == $user->id()))
        ->cachePerUser();
      $result = $result->andIf($owner_result);

Even though the comments clearly state that the condition should is for if there is no create any/own permission.

🐛 Bug report
Status

Active

Version

2.0

Component

Order

Created by

thecrystalcross

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024