Orders list page contains Add/Edit option for the users having only view permission


  • If the user creates a custom regular role with some permissions, such as view permissions for the order list, the user will also be able to access the edit or add options. They can also edit the option in the payment section of this order. 

    Steps to reproduce:
    1. Create a Minium site and place one order.
    2. Navigate to Commerce> Order Management> Orders
    Here, you can see 'Edit', and 'Add' inside the order 
    3. Navigate to Control Panel> Users and Organization> Create a regular role
    Assign view permissions only in Channel and Order
    4. Now, create a new user and assign this role
    5. Login as this user to observe that they can see orders with edit or add options, which should not be the case if they only have view permission.
    Expected Behavior: The “Edit” buttons don’t appear.
    Observed Behavior: The “edit” buttons appear but are useless since the user doesn’t have permission to edit the Order


  • Liferay DXP 7.4 
  • Commerce 4.0


  • The observed behavior is a known bug that has been addressed via COMMERCE-12025 and also included in update 92.

Additional Information

¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0