diff --git a/CHANGELOG.md b/CHANGELOG.md index 20b74c0148..0f492d723f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Release Notes for Craft Commerce +## Unreleased + +- Fixed a bug where users could access the Commerce user screen when the current user didn’t have permission. + ## 5.2.6 - 2024-11-26 - Fixed a bug where variant prices could be displayed incorrectly when inline editing. ([#3768](https://github.com/craftcms/commerce/issues/3768)) diff --git a/src/Plugin.php b/src/Plugin.php index 4e5522ebaa..e8764107b6 100755 --- a/src/Plugin.php +++ b/src/Plugin.php @@ -797,7 +797,10 @@ function(DefineBehaviorsEvent $event) { // Add Commerce info to user edit screen Event::on(UsersController::class, UsersController::EVENT_DEFINE_EDIT_SCREENS, function(DefineEditUserScreensEvent $event) { - $event->screens[CommerceUsersController::SCREEN_COMMERCE] = ['label' => Craft::t('commerce', 'Commerce')]; + // Add Commerce screen to user edit screen if the user has permission to access Commerce + if (Craft::$app->getUser()->checkPermission('accessPlugin-commerce')) { + $event->screens[CommerceUsersController::SCREEN_COMMERCE] = ['label' => Craft::t('commerce', 'Commerce')]; + } }); // Site models are instantiated early meaning we have to manually attach the behavior alongside using the event diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php index 71a5063227..812ace7bdf 100644 --- a/src/controllers/UsersController.php +++ b/src/controllers/UsersController.php @@ -63,20 +63,23 @@ public function actionIndex(?int $userId = null): Response $edge = Plugin::getInstance()->getCarts()->getActiveCartEdgeDuration(); - $content = Html::tag('h2', Craft::t('commerce', 'Orders')) . - Html::beginTag('div', ['class' => 'commerce-user-orders']) . + $content = ''; + + if (Craft::$app->getUser()->getIdentity()->can('commerce-manageOrders')) { + $content .= Html::tag('h2', Craft::t('commerce', 'Orders')) . + Html::beginTag('div', ['class' => 'commerce-user-orders']) . Cp::elementIndexHtml(Order::class, ArrayHelper::merge($config, [ 'id' => sprintf('element-index-%s', mt_rand()), 'jsSettings' => [ 'criteria' => ['isCompleted' => true], ], ])) . - Html::endTag('div') . + Html::endTag('div') . - Html::tag('hr') . + Html::tag('hr') . - Html::tag('h2', Craft::t('commerce', 'Active Carts')) . - Html::beginTag('div', ['class' => 'commerce-user-active-carts']) . + Html::tag('h2', Craft::t('commerce', 'Active Carts')) . + Html::beginTag('div', ['class' => 'commerce-user-active-carts']) . Cp::elementIndexHtml(Order::class, ArrayHelper::merge($config, [ 'id' => sprintf('element-index-%s', mt_rand()), 'jsSettings' => [ @@ -86,12 +89,12 @@ public function actionIndex(?int $userId = null): Response ], ], ])) . - Html::endTag('div') . + Html::endTag('div') . - Html::tag('hr') . + Html::tag('hr') . - Html::tag('h2', Craft::t('commerce', 'Inactive Carts')) . - Html::beginTag('div', ['class' => 'commerce-user-active-carts']) . + Html::tag('h2', Craft::t('commerce', 'Inactive Carts')) . + Html::beginTag('div', ['class' => 'commerce-user-active-carts']) . Cp::elementIndexHtml(Order::class, ArrayHelper::merge($config, [ 'id' => sprintf('element-index-%s', mt_rand()), 'jsSettings' => [ @@ -101,7 +104,8 @@ public function actionIndex(?int $userId = null): Response ], ], ])) . - Html::endTag('div'); + Html::endTag('div'); + } if (Craft::$app->getUser()->getIdentity()->can('commerce-manageSubscriptions') and !empty(Plugin::getInstance()->getPlans()->getAllPlans())) {