Fixed #3819 product duplication not checking permissions

craftcms · Dec 30, 2024 · 032c9b5 · 032c9b5
1 parent 1b40aeb
commit 032c9b5
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where Edit Product pages would allow duplication for users that didn’t have permission to duplicate the product. ([#3819](https://github.com/craftcms/commerce/issues/3819))
+
 ## 4.7.2 - 2024-12-18
 
 - Fixed a bug where the Edit Order page wasn’t showing order errors.

diff --git a/src/controllers/ProductsController.php b/src/controllers/ProductsController.php
@@ -360,6 +360,11 @@ public function actionSaveProduct(bool $duplicate = false): ?Response
      */
     public function actionDuplicateProduct(): ?Response
     {
+        $product = ProductHelper::productFromPost($this->request);
+        if (!Craft::$app->getElements()->canDuplicate($product)) {
+            throw new ForbiddenHttpException('User is not permitted to duplicate this product');
+        }
+
         return $this->runAction('save-product', ['duplicate' => true]);
     }