[4.x]: Users are unable to cancel their subscriptions

[martyspain]

What happened?

Description

We are experiencing issues with users unable to cancel subscriptions by submitting a form to commerce/subscriptions/cancel. Doing so returns an 'Unable to cancel subscription at this time' error, which seems to be related to a change to the line that checks if the user can modify this subscription.

This line in commerce/controllers/Subscription.php checks if the user can modify the subscription by calling the subscription's canSave method:

$canModifySubscription = $subscription->canSave(Craft::$app->getUser()->getIdentity());

This in turn calls the parent Element class's canView method, and if this returns false it falls through to checking if the user has permissions to manage subscriptions:

return parent::canView($user) || $user->can('commerce-manageSubscriptions');

The call to the Element canView method just creates a new AuthorizationCheckEvent which sets an authorized property to be false, then triggers the EVENT_AUTHORIZE_VIEW event and returns the authorized property of the event. I can't find any Subscription-specific code that listens to this event and checks if the user should be authorized to modify their subscription, so it seems that this call will always return false.

This suggests that for customers to cancel their subscriptions, we have to either assign them to a user group that has the commerce-manageSubscriptions permission applied, or write an event listener into our own application logic that listens for EVENT_AUTHORIZE_VIEW and modifies the authorized property accordingly.

I can't find anything in the Commerce 4 migration documentation, the Commerce Subscription documentation or the Commerce Stripe plugin documentation that mentions this permission now being required.

Am I correct in thinking that this is all working as expected and as of Commerce 4 we must make sure we assign the commerce-manageSubscriptions permission to customers now in order to allow them to cancel their own subscriptions? Or is this a bug that needs resolving?

Steps to reproduce

1. Set up a user with an active subscription via the Commerce Strip gateway
2. Submit a front-end form to cancel the subscription to commerce/subscriptions/cancel endpoint

Expected behavior

The subscription to be cancelled successfully

Actual behavior

The cancel controller method returns an error and the subscription is not cancelled.

Craft CMS version

4.2.3

Craft Commerce version

4.1.1

PHP version

8.0

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

• Stripe for Craft Commerce 3.0.1

[pdaleramirez]

@martyspain This is the expected behavior on the latest version. We are planning to add more granular subscription permission in future releases.

[martyspain]

OK, thanks for clarifying. I think that this should be added to the Commerce docs and release notes, to help others coming along who may have encountered the same issue.

[okolvik-avento]

@pdaleramirez @martyspain Sorry for necroing this, but there still aren't any more granular permissions. I don't feel comfortable giving 'commerce-manageSubscriptions' permissions to users/groups, as any logged in user with that permission can in theory modify other peoples subscription if they get access to the uid.

EVENT_AUTHORIZE_VIEW doesn't seem to be a good workaround as the subscription is not pushed as part of the event.
The event is even deprecated.

[ryanirelan]

I was bitten by this, too, just last week. I created a PR to add this change to the docs and Commerce 4 upgrade guide.

[ryanirelan]

This was fixed and coming in next version: #3155 (comment)