#939938 by rszrama: use the access checkout permission in various pla…

…ces, resolve some bugs in the commerce_checkout_access() function, and add a hook for additional checkout routing.
rszrama · Oct 20, 2010 · a3a35a4 · a3a35a4
1 parent 41f1dfd
commit a3a35a4
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 15 deletions.
diff --git a/modules/cart/commerce_cart.module b/modules/cart/commerce_cart.module
@@ -23,12 +23,10 @@ function commerce_cart_menu() {
     'file' => 'includes/commerce_cart.pages.inc',
   );
 
-  // TODO: Replace access control with something more pertinent to checkout
-  // besides 'access content'.
   $items['checkout'] = array(
     'title' => 'Checkout',
     'page callback' => 'commerce_cart_checkout_router',
-    'access arguments' => array('access content'),
+    'access arguments' => array('access checkout'),
     'type' => MENU_CALLBACK,
     'file' => 'includes/commerce_cart.pages.inc',
   );

diff --git a/modules/cart/includes/commerce_cart.pages.inc b/modules/cart/includes/commerce_cart.pages.inc
@@ -146,6 +146,7 @@ function commerce_cart_form($form, &$form_state, $order) {
     '#value' => t('Checkout'),
     '#submit' => $submit + array('commerce_cart_form_submit'),
     '#weight' => 45,
+    '#access' => user_access('access checkout'),
   );
 
   // We append the validate handler to #validate in case a form callback_wrapper

diff --git a/modules/checkout/commerce_checkout.module b/modules/checkout/commerce_checkout.module
@@ -14,21 +14,19 @@
 function commerce_checkout_menu() {
   $items = array();
 
-  // TODO: Add some sort of access control beyond 'access content' permission so
-  // customers don't checkout other customers' orders.
   $items['checkout/%commerce_order'] = array(
     'title' => 'Checkout',
     'page callback' => 'commerce_checkout_router',
     'page arguments' => array(1),
-    'access arguments' => array('access content'),
+    'access arguments' => array('access checkout'),
     'type' => MENU_CALLBACK,
     'file' => 'includes/commerce_checkout.pages.inc',
   );
   $items['checkout/%commerce_order/%commerce_checkout_page'] = array(
     'title' => 'Checkout',
     'page callback' => 'commerce_checkout_router',
     'page arguments' => array(1, 2),
-    'access arguments' => array('access content'),
+    'access arguments' => array('access checkout'),
     'type' => MENU_CALLBACK,
     'file' => 'includes/commerce_checkout.pages.inc',
   );
@@ -77,12 +75,12 @@ function commerce_checkout_permission() {
   $permissions = array(
     'administer checkout' => array(
       'title' => t('Administer checkout'),
-      'description' => t('Configure checkout settings and the checkout form itself.'),
+      'description' => t('Access checkout for any order and configure checkout settings including the layout of the checkout form.'),
       'restrict access' => TRUE,
     ),
     'access checkout' => array(
       'title' => t('Access checkout'),
-      'description' => t('Complete a purchase through the checkout form.'),
+      'description' => t('Complete a purchase through the checkout form or be (or be redirected to login based on checkout settings).'),
     ),
   );
 
@@ -535,6 +533,13 @@ function commerce_checkout_access($order, $checkout_page, $account = NULL) {
     }
   }
   else {
+    // Return FALSE if the order does have a uid.
+    if ($order->uid) {
+      return FALSE;
+    }
+
+    // And then return FALSE if the anonymous user's session doesn't specify
+    // this order ID.
     if (empty($_SESSION['commerce_cart_order_id']) || $_SESSION['commerce_cart_order_id'] != $order->order_id) {
       return FALSE;
     }
@@ -553,10 +558,7 @@ function commerce_checkout_access($order, $checkout_page, $account = NULL) {
         return FALSE;
       }
     }
-    elseif ($checkout_page->page_id != 'complete') {
-      // TODO: This will likely cause problems for orders in statuses that have
-      // been canceled or something where accessing a checkout completion page
-      // shouldn't be possible.
+    else {
       return FALSE;
     }
   }
@@ -584,6 +586,17 @@ function commerce_checkout_access($order, $checkout_page, $account = NULL) {
       }
     }
   }
+  // We've now handled above cases where the user is trying to access a checkout
+  // page other than the completion page for an order that is not in a checkout
+  // status.  We then handled cases where the user is trying to access any
+  // checkout page for orders in a checkout status.  We now turn to cases where
+  // the user is accessing the complete page for any other order state.
+  elseif ($checkout_page->page_id == 'complete') {
+    // Don't allow completion page access for orders in the cart or canceled states.
+    if (in_array($order_status->state, array('canceled', 'cart'))) {
+      return FALSE;
+    }
+  }
 
   return TRUE;
 }

diff --git a/modules/checkout/includes/commerce_checkout.admin.inc b/modules/checkout/includes/commerce_checkout.admin.inc
@@ -12,10 +12,11 @@
 function commerce_checkout_settings_form($form, &$form_state) {
   global $base_url;
 
+  // TODO: Remove these settings in favor of hook_commerce_checkout_router()
+  // implementations and checkout completion Rules.
   $form['anonymous'] = array(
     '#type' => 'fieldset',
     '#title' => t('Anonymous checkout settings'),
-    '#description' => t('These settings alter the behavior of checkout when an anonymous user completes checkout.'),
   );
   $form['anonymous']['commerce_checkout_anonymous_account'] = array(
     '#type' => 'radios',

diff --git a/modules/checkout/includes/commerce_checkout.pages.inc b/modules/checkout/includes/commerce_checkout.pages.inc
@@ -28,6 +28,10 @@ function commerce_checkout_router($order, $checkout_page = NULL) {
     drupal_goto(variable_get('commerce_checkout_empty_redirect', '<front>'));
   }
 
+  // Prior to displaying the checkout form, allow other modules to route the
+  // checkout form.
+  module_invoke_all('commerce_checkout_router');
+
   // Update the page title if specified.
   if (!empty($checkout_page->title)) {
     drupal_set_title($checkout_page->title);

diff --git a/...s/line_item/includes/views/handlers/commerce_line_item_handler_area_line_item_summary.inc b/...s/line_item/includes/views/handlers/commerce_line_item_handler_area_line_item_summary.inc
@@ -78,7 +78,7 @@ class commerce_line_item_handler_area_line_item_summary extends views_handler_ar
       }
 
       // Only add the checkout link if checkout is enabled.
-      if (module_exists('commerce_checkout') && $this->options['links']['checkout'] === 'checkout') {
+      if (module_exists('commerce_checkout') && $this->options['links']['checkout'] === 'checkout' && user_access('access checkout')) {
         $links['line-item-summary-checkout'] = array(
           'title' => t('Checkout'),
           'href' => 'checkout',