Merge pull request #61 from craftcms/bugfix/permissions-adjustments

additional permissions checks
craftcms · Nov 27, 2024 · f533465 · f533465
2 parents 78c84bc + b6a4d02
commit f533465
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,8 @@
 ## Unreleased
 
 - Fixed a bug where the products index page gave impression that it was possible to sort by Link. ([#59](https://github.com/craftcms/stripe/issues/59))
+- Fixed a bug where, in certain cases, it was possible to access a Subscription element in a slideout without having permission to access the Stripe plugin. ([#61](https://github.com/craftcms/stripe/pull/61))
+- Fixed a bug where the “Sync from Stripe” user menu item was shown even if user didn't permission to access the Stripe plugin. ([#61](https://github.com/craftcms/stripe/pull/61))
 
 ## 1.3.0 - 2024-11-19
 

diff --git a/src/Plugin.php b/src/Plugin.php
@@ -577,7 +577,7 @@ private function registerUserActions(): void
             Element::EVENT_DEFINE_ACTION_MENU_ITEMS,
             function(DefineMenuItemsEvent $event) {
                 $sender = $event->sender;
-                if ($email = $sender->email) {
+                if ($email = $sender->email && Craft::$app->getUser()->checkPermission('accessPlugin-stripe')) {
                     $customers = Plugin::getInstance()->getApi()->fetchAllCustomers(['email' => $email]);
                     if ($customers) {
                         $stripeIds = collect($customers)->pluck('id');

diff --git a/src/controllers/CustomersController.php b/src/controllers/CustomersController.php
@@ -7,6 +7,7 @@
 
 namespace craft\stripe\controllers;
 
+use Craft;
 use craft\controllers\EditUserTrait;
 use craft\elements\User;
 use craft\helpers\Cp;
@@ -56,6 +57,7 @@ public function actionIndex(?int $userId = null): Response
             'context' => 'embedded-index',
             'jsSettings' => [
                 'criteria' => ['userId' => $user->id],
+                'static' => !Craft::$app->getUser()->checkPermission('editUsers'),
             ],
         ]);
 

diff --git a/src/elements/Subscription.php b/src/elements/Subscription.php
@@ -410,7 +410,7 @@ protected static function defineDefaultCardAttributes(): array
      */
     public function canView(User $user): bool
     {
-        return true;
+        return parent::canView($user) || $user->can('accessPlugin-stripe');
     }
 
     /**