Issue
-
If the user creates a custom regular role with some permissions, such as view permissions for the order list, the user will also be able to access the edit or add options. They can also edit the option in the payment section of this order.
Steps to reproduce:
1. Create a Minium site and place one order.
2. Navigate to Commerce> Order Management> Orders
Here, you can see 'Edit', and 'Add' inside the order
3. Navigate to Control Panel> Users and Organization> Create a regular role
Assign view permissions only in Channel and Order
4. Now, create a new user and assign this role
5. Login as this user to observe that they can see orders with edit or add options, which should not be the case if they only have view permission.
Expected Behavior: The “Edit” buttons don’t appear.
Observed Behavior: The “edit” buttons appear but are useless since the user doesn’t have permission to edit the Order
Environment
- Liferay DXP 7.4
- Commerce 4.0
Resolution
- The observed behavior is a known bug that has been addressed via COMMERCE-12025 and also included in update 92.
Additional Information
- Please submit a support ticket with the patch details attached if you require a hotfix or more information on this.
- Installing Fix Packs and Hotfixes on Liferay DXP will guide you to install the Fixpack or Hotfix in your environment.