[4.x]: edit actions available for order when Edit Orders permission not enabled

jmauzyk commented 4 weeks ago

What happened?

Description

When a user has the "Manage orders" permission enabled, but not the "Edit orders" permission, a number of actions to edit and remove remain visible. It's possible to click these actions and make changes to the order and line items, although it's not possible to save.

Steps to reproduce

Enable the "Manage orders" permission for a user without enabling the sub-permission "Edit orders".
With this user account logged in, view a CP order edit page.

Expected behavior

Expected edit and remove action buttons to be hidden since "Edit orders" is not enabled.

Actual behavior

An "Edit" and "Edit adjustments" button remain visible on the order, as well as "Edit" and "Remove" buttons for the line items.

Craft CMS version

Pro 4.9.7

Craft Commerce version

4.6.2

PHP version

8.2.19

Operating system and version

Linux 6.6.26-linuxkit

Database type and version

PostgreSQL 14.9

Image driver and version

Imagick 3.7.0 (ImageMagick 6.9.11-60)

Installed plugins and versions

No response

linear[bot] commented 4 weeks ago

PT-1806 [4.x]: edit actions available for order when Edit Orders permission not enabled

nfourtythree commented 3 weeks ago

Hi @jmauzyk

Thank you for raising this issue, we have pushed a fix for this which will be included in the next release of Commerce.

Thanks!

craftcms / commerce