Users with "View" permission is able to edit the commerce product

• An issue with the permissions assigned for the role under Catalog and Product.
• A regular role is created in which the view access is assigned for Catalog and Products but the user is still able to edit and open the products and also able to navigate through the different tabs in it.
• However, when the user performs few changes in the products and tries to publish, the error: "You do not have the required permissions" is encountered.

• According to the role assigned to the user since “Update” permission is not assigned to the Product, users can still see the "Edit" icon on the Product page, browse the internal details (different tabs) of the product, and "Publish" button is also available and when users proceed with the clicking of "Publish" button, error "You do not have required permission" is encountered.

• Why there are both the functionalities (Edit icon and Publish button) available if “Update” permission is not assigned?
• As per the requirement, users can view the products but should not be able to access the "Publish" button, or in short "Publish" button should be hidden if “Update” permission is unavailable to the role.

Steps to reproduce:

1. Login to Liferay DXP 2024.Q1.1.
2. Create a Minium site.
3. Create a regular role and define the permissions as "View" for Catalog and "Access in Control Panel" and "View" permissions for Products.
4. Create a user and assign the above-created role. Also, assign the membership as "Minium" to this user.
5. Login with the new user. Go to Control Panel -> click and open the Products option.
6. Choose any product from the list and see that this user is able to edit and open the product. Moreover, the user is also able to navigate through all the tabs present in the products.
7. Now try to perform any changes to the product and click on the "Publish" button. It is seen that the error "You do not have the required permissions" occurs and the user fails to perform the changes.

Actual Result: The user is able to click, edit, and open the products.
Expected Result: When the "view" permission has been assigned to the user, then the user should only have access to view the product page and should not be able to click, edit, and open the products.

Here is the attached video showcasing the detailed steps.

• Liferay DXP [all versions]

• The reported issue is not classified as a product bug but rather a UX improvement request. As such, it falls under a feature request rather than a defect.
• However, the current behavior encountered is consistent across multiple Commerce components (i.e. same behavior is seen in the order admin view as well). Therefore, implementing a change specifically for Products would require broader modifications across other components as well.
• However, users can wish to remove the “View“ permission from the catalog and then it is observed that the users are unable to see the list of products, and the below-attached error is thrown in the UI.
  
  
  
  
• If the above permission is not as per the requirement, then the request will be taken further as a Feature Request in the upcoming releases of DXP.
• However, the expected behavior is considered under the new feature and hence feature enhancement request has been submitted. It can be tracked here: LPD-48379

• Creating and Upvoting Feature Requests: https://help.liferay.com/hc/en-us/articles/360018123132-Requesting-a-New-Feature-or-Feature-Improvement
• Info about the Feature Request Process: https://liferay.dev/en/feedback/feature-requests