Fix permissions check for product ceate and delete

Fixes #3838
craftcms · Jan 8, 2025 · 7df7977 · 7df7977
1 parent 4a60f49
commit 7df7977
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where products could be duplicated without the “Create products” permissions. ([#3838](https://github.com/craftcms/commerce/issues/3838))
+
 ## 5.2.11 - 2025-01-02
 
 - Fixed an error that occurred when rendering a Link field with a product selected on the front end. ([#3833](https://github.com/craftcms/commerce/issues/3833))

diff --git a/src/elements/Product.php b/src/elements/Product.php
@@ -858,7 +858,7 @@ public function canDuplicate(User $user): bool
             return false;
         }
 
-        return $user->can('commerce-editProductType:' . $productType->uid);
+        return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-createProducts');
     }
 
     /**
@@ -876,7 +876,7 @@ public function canDelete(User $user): bool
             return false;
         }
 
-        return $user->can('commerce-deleteProducts:' . $productType->uid);
+        return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-deleteProducts');
     }
 
     /**

diff --git a/src/services/ProductTypes.php b/src/services/ProductTypes.php
@@ -994,14 +994,17 @@ public function hasPermission(User $user, ProductType $productType, ?string $che
 
         $suffix = ':' . $productType->uid;
 
-        // Required for create and delete permission.
-        $editProductType = strtolower('commerce-editProductType' . $suffix);
-
         if ($checkPermissionName !== null) {
             $checkPermissionName = strtolower($checkPermissionName . $suffix);
+            if (!in_array(strtolower($checkPermissionName), $permissions)) {
+                return false;
+            }
         }
 
-        if (!in_array($editProductType, $permissions) || ($checkPermissionName !== null && !in_array(strtolower($checkPermissionName), $permissions))) {
+        // Required for create and delete permission.
+        $editProductType = strtolower('commerce-editProductType' . $suffix);
+
+        if (!in_array($editProductType, $permissions)) {
             return false;
         }