From 7df79773d118818bdc44fe2b5650da6e2ac89a3a Mon Sep 17 00:00:00 2001
From: Luke Holder <lukemh@gmail.com>
Date: Wed, 8 Jan 2025 21:09:17 +0800
Subject: [PATCH] Fix permissions check for product ceate and delete

Fixes #3838
---
 CHANGELOG.md                  |  4 ++++
 src/elements/Product.php      |  4 ++--
 src/services/ProductTypes.php | 11 +++++++----
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f7c0980ff6..70c98e7d78 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where products could be duplicated without the “Create products” permissions. ([#3838](https://github.com/craftcms/commerce/issues/3838))
+
 ## 5.2.11 - 2025-01-02
 
 - Fixed an error that occurred when rendering a Link field with a product selected on the front end. ([#3833](https://github.com/craftcms/commerce/issues/3833))
diff --git a/src/elements/Product.php b/src/elements/Product.php
index b8acf1a1e0..909e03d569 100644
--- a/src/elements/Product.php
+++ b/src/elements/Product.php
@@ -858,7 +858,7 @@ public function canDuplicate(User $user): bool
             return false;
         }
 
-        return $user->can('commerce-editProductType:' . $productType->uid);
+        return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-createProducts');
     }
 
     /**
@@ -876,7 +876,7 @@ public function canDelete(User $user): bool
             return false;
         }
 
-        return $user->can('commerce-deleteProducts:' . $productType->uid);
+        return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-deleteProducts');
     }
 
     /**
diff --git a/src/services/ProductTypes.php b/src/services/ProductTypes.php
index d771561364..a0e0ff2bf9 100755
--- a/src/services/ProductTypes.php
+++ b/src/services/ProductTypes.php
@@ -994,14 +994,17 @@ public function hasPermission(User $user, ProductType $productType, ?string $che
 
         $suffix = ':' . $productType->uid;
 
-        // Required for create and delete permission.
-        $editProductType = strtolower('commerce-editProductType' . $suffix);
-
         if ($checkPermissionName !== null) {
             $checkPermissionName = strtolower($checkPermissionName . $suffix);
+            if (!in_array(strtolower($checkPermissionName), $permissions)) {
+                return false;
+            }
         }
 
-        if (!in_array($editProductType, $permissions) || ($checkPermissionName !== null && !in_array(strtolower($checkPermissionName), $permissions))) {
+        // Required for create and delete permission.
+        $editProductType = strtolower('commerce-editProductType' . $suffix);
+
+        if (!in_array($editProductType, $permissions)) {
             return false;
         }