Manage/Edit Orders Permission #1692
Description
Description
On Commerce 2, there's a single "Manage Orders" permission. When a user with those permissions goes to view an order, they can go ahead and view the order as usual.
On Commerce 3, the docs mention:
We have added the “Edit orders” and “Delete orders” user permissions, but users with the existing “Manage orders” permission will not automatically get these new permissions, so updating those users and user groups would be required.
Okay, makes sense. On the permissions page, the Manage Orders permission says:
This permission lets the user see orders.
Is this a bug or holdover text from the Commerce 2 docs? I can download a PDF of an order from the main orders index page:
which is weird but if I try to go in and view an order, I get locked out:
I'm not sure if that's a bug or intended? Someone who can't view orders certainly have the ability to download PDFs of them?
Maybe there needs to be a "View" permission which is granted upon migration—or is that how the top level Manage Orders permission is supposed to work? Or, upon migration, simply let the "Manage Orders" permission cascade to allow the 2 other permissions as well?
FWIW the other way Commerce 2 worked was users can view the order and change order status. Right now, if you don't have the Edit Order permission, you can't do either. (As an aside, that might be a useful permission to add: "Edit Order Status". )