Fix permissions check for product ceate and delete

lukeholder · lukeholder · commit 7df79773d118 · 2025-01-08T21:09:17.000+08:00
Fixes #3838
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where products could be duplicated without the “Create products” permissions. ([#3838](https://github.com/craftcms/commerce/issues/3838))
+
 ## 5.2.11 - 2025-01-02
 
 - Fixed an error that occurred when rendering a Link field with a product selected on the front end. ([#3833](https://github.com/craftcms/commerce/issues/3833))
diff --git a/src/elements/Product.php b/src/elements/Product.php
@@ -858,7 +858,7 @@ public function canDuplicate(User $user): bool
             return false;
         }
 
-        return $user->can('commerce-editProductType:' . $productType->uid);
+        return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-createProducts');
     }
 
     /**
@@ -876,7 +876,7 @@ public function canDelete(User $user): bool
             return false;
         }
 
-        return $user->can('commerce-deleteProducts:' . $productType->uid);
+        return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-deleteProducts');
     }
 
     /**
diff --git a/src/services/ProductTypes.php b/src/services/ProductTypes.php
@@ -994,14 +994,17 @@ public function hasPermission(User $user, ProductType $productType, ?string $che
 
         $suffix = ':' . $productType->uid;
 
-        // Required for create and delete permission.
-        $editProductType = strtolower('commerce-editProductType' . $suffix);
-
         if ($checkPermissionName !== null) {
             $checkPermissionName = strtolower($checkPermissionName . $suffix);
+            if (!in_array(strtolower($checkPermissionName), $permissions)) {
+                return false;
+            }
         }
 
-        if (!in_array($editProductType, $permissions) || ($checkPermissionName !== null && !in_array(strtolower($checkPermissionName), $permissions))) {
+        // Required for create and delete permission.
+        $editProductType = strtolower('commerce-editProductType' . $suffix);
+
+        if (!in_array($editProductType, $permissions)) {
             return false;
         }
 

Original file line number	Diff line number	Diff line change
`@@ -858,7 +858,7 @@ public function canDuplicate(User $user): bool`
`858`	`858`	`return false;`
`859`	`859`	`}`
`860`	`860`
`861`		`- return $user->can('commerce-editProductType:' . $productType->uid);`
	`861`	`+ return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-createProducts');`
`862`	`862`	`}`
`863`	`863`
`864`	`864`	`/**`
`@@ -876,7 +876,7 @@ public function canDelete(User $user): bool`
`876`	`876`	`return false;`
`877`	`877`	`}`
`878`	`878`
`879`		`- return $user->can('commerce-deleteProducts:' . $productType->uid);`
	`879`	`+ return Plugin::getInstance()->getProductTypes()->hasPermission($user, $productType, 'commerce-deleteProducts');`
`880`	`880`	`}`
`881`	`881`
`882`	`882`	`/**`