Merge pull request #3831 from craftcms/feature/pt-2355-4x-duplicate-a…

…ction-for-edit-product-does-check-permission

Fixed #3819 product duplication not checking permissions

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Release Notes for Craft Commerce
 
+## Unreleased
+
+- Fixed a bug where Edit Product pages would allow duplication for users that didn’t have permission to duplicate the product. ([#3819](https://github.com/craftcms/commerce/issues/3819))
+
 ## 4.7.2 - 2024-12-18
 
 - Fixed a bug where the Edit Order page wasn’t showing order errors.

src/controllers/ProductsController.php

@@ -360,6 +360,11 @@ public function actionSaveProduct(bool $duplicate = false): ?Response
      */
     public function actionDuplicateProduct(): ?Response
     {
+        $product = ProductHelper::productFromPost($this->request);
+        if (!Craft::$app->getElements()->canDuplicate($product)) {
+            throw new ForbiddenHttpException('User is not permitted to duplicate this product');
+        }
+
         return $this->runAction('save-product', ['duplicate' => true]);
     }
 

src/templates/products/_edit.twig

@@ -23,11 +23,13 @@
   }
 ] %}
 {% if product.id %}
-  {% set formActions = formActions|push({
-    label: 'Save as a new {type}'|t('app', { type: product.lowerDisplayName() }),
-    redirect: '{cpEditUrl}'|hash,
-    action: 'commerce/products/duplicate-product'
-  }) %}
+  {% if canDuplicate(product) %}
+    {% set formActions = formActions|push({
+      label: 'Save as a new {type}'|t('app', { type: product.lowerDisplayName() }),
+      redirect: '{cpEditUrl}'|hash,
+      action: 'commerce/products/duplicate-product'
+    }) %}
+  {% endif %}
   {% if canDelete(product) %}
   {% set formActions = formActions|push({
     action: 'commerce/products/delete-product',