Fixed permission checks for the commerce screen on edit user

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where users could access the Commerce user screen when the current user didn’t have permission. 
+
 ## 5.2.6 - 2024-11-26
 
 - Fixed a bug where variant prices could be displayed incorrectly when inline editing. ([#3768](https://github.com/craftcms/commerce/issues/3768))

src/Plugin.php

@@ -797,7 +797,10 @@ function(DefineBehaviorsEvent $event) {
 
         // Add Commerce info to user edit screen
         Event::on(UsersController::class, UsersController::EVENT_DEFINE_EDIT_SCREENS, function(DefineEditUserScreensEvent $event) {
-            $event->screens[CommerceUsersController::SCREEN_COMMERCE] = ['label' => Craft::t('commerce', 'Commerce')];
+            // Add Commerce screen to user edit screen if the user has permission to access Commerce
+            if (Craft::$app->getUser()->checkPermission('accessPlugin-commerce')) {
+                $event->screens[CommerceUsersController::SCREEN_COMMERCE] = ['label' => Craft::t('commerce', 'Commerce')];
+            }
         });
 
         // Site models are instantiated early meaning we have to manually attach the behavior alongside using the event

src/controllers/UsersController.php

@@ -63,20 +63,23 @@ public function actionIndex(?int $userId = null): Response
 
         $edge = Plugin::getInstance()->getCarts()->getActiveCartEdgeDuration();
 
-        $content = Html::tag('h2', Craft::t('commerce', 'Orders')) .
-            Html::beginTag('div', ['class' => 'commerce-user-orders']) .
+        $content = '';
+
+        if (Craft::$app->getUser()->getIdentity()->can('commerce-manageOrders')) {
+            $content .= Html::tag('h2', Craft::t('commerce', 'Orders')) .
+                Html::beginTag('div', ['class' => 'commerce-user-orders']) .
                 Cp::elementIndexHtml(Order::class, ArrayHelper::merge($config, [
                     'id' => sprintf('element-index-%s', mt_rand()),
                     'jsSettings' => [
                         'criteria' => ['isCompleted' => true],
                     ],
                 ])) .
-            Html::endTag('div') .
+                Html::endTag('div') .
 
-            Html::tag('hr') .
+                Html::tag('hr') .
 
-            Html::tag('h2', Craft::t('commerce', 'Active Carts')) .
-            Html::beginTag('div', ['class' => 'commerce-user-active-carts']) .
+                Html::tag('h2', Craft::t('commerce', 'Active Carts')) .
+                Html::beginTag('div', ['class' => 'commerce-user-active-carts']) .
                 Cp::elementIndexHtml(Order::class, ArrayHelper::merge($config, [
                     'id' => sprintf('element-index-%s', mt_rand()),
                     'jsSettings' => [
@@ -86,12 +89,12 @@ public function actionIndex(?int $userId = null): Response
                         ],
                     ],
                 ])) .
-            Html::endTag('div') .
+                Html::endTag('div') .
 
-            Html::tag('hr') .
+                Html::tag('hr') .
 
-            Html::tag('h2', Craft::t('commerce', 'Inactive Carts')) .
-            Html::beginTag('div', ['class' => 'commerce-user-active-carts']) .
+                Html::tag('h2', Craft::t('commerce', 'Inactive Carts')) .
+                Html::beginTag('div', ['class' => 'commerce-user-active-carts']) .
                 Cp::elementIndexHtml(Order::class, ArrayHelper::merge($config, [
                     'id' => sprintf('element-index-%s', mt_rand()),
                     'jsSettings' => [
@@ -101,7 +104,8 @@ public function actionIndex(?int $userId = null): Response
                         ],
                     ],
                 ])) .
-            Html::endTag('div');
+                Html::endTag('div');
+        }
 
 
         if (Craft::$app->getUser()->getIdentity()->can('commerce-manageSubscriptions') and !empty(Plugin::getInstance()->getPlans()->getAllPlans())) {