Give Vendor Selective Permission To View A Document

Hello,

There are 2 things I want to do. I want to give vendors permission to see payout invoices from the backend (currently they can only see order invoices) and I want to give vendor permission to see a custom document made by me. I learned how to use the schema for vendor privileges and I managed to allow them to see both the payout invoice and my custom document.

The problem I'm facing is how can I restrict for example the payout invoice so that only the vendor from the invoice can see it. If I give access to vendors in the backend to the invoices, one vendor can see ALL invoices if they have the link. I saw that the order invoices are restricted to other vendors and I couldn't figure how it was done. Can anyone explain this to me?

Hopefully I'm explaining this clearly:

1. Payout Invoice -> Vendor access (I know how to do this part) -> Only one vendor should see this and admin (I don't know how to do this)

2. Custom Document -> Vendor access -> Only one vendor should see this and admin

Are you stating that when a vendor runs your custom 'mode' to show the document, that they see documents from other vendors?

Yes. For example only the vendor that is in the order can see this document/order https://www.example.com/vendor.php?dispatch=orders.print_invoice&order_id=145(vendor company_id = 40 in document so anyone else shouldn't be able to access this document/mode)

I want to do the same for my custom document but also for the payout invoice since vendors can't see those in the backend.

Your query for the documents should cover this. I'd do something like the following in your controller that provides the data to your template.:

$company_condition = '';
if( $company_id = Registry::get('runtime.company_id') )
  $company_condition = "AND company_id=$company_id";

$sql = “SELECT your select criteria here WHERE 1 $company_condition”

Your query for the documents should cover this. I'd do something like the following in your controller that provides the data to your template.:

$company_condition = '';
if( $company_id = Registry::get('runtime.company_id') )
  $company_condition = "AND company_id=$company_id";

$sql = “SELECT your select criteria here WHERE 1 $company_condition”

Yes, thank you! I will do that for my custom document. I have a follow-up question though. What do I do in the case of the payout invoice document? I saw that company_id = 0 in payout orders. In the frontend the document uses "fn_is_order_allowed" which seems to work based on user_id. The backend uses "fn_get_order_info" which is based on company_id which is 0 for some reason. What would be the solution in this case? I tried in the past to give company_id the proper value, but I didn't succeed since the function that creates the payout invoice doesn't have a hook in it.

Edit: Nevermind. I get now why company_id is 0. The question still remains though. How can I show this payout invoice to the vendor?

Company_id zero is for the merchant. I.e. non-vendor actions. All vendors are assigned a company_id. So when the runtime.company_id is zero, you are running in the context of the store admin. When it's not, you're running in the context of the vendor.

In the frontend, everything is "running" as company_id zero and products have a company_id related to a vendor and that's what determines how orders are split.

@tbirnseth thanks for the help so far :-)

Oke. I have managed to do what I wanted. I have one last question though about payouts. Why is the order_id in the vendor_payouts sql table 0? Shouldn't it correspond to an actual order from the orders sql table? I'd like to use that in order to determine if a user has access to the order. The only way I can tell that a payout is linked to a order is by the comment... which is not that good.

@tbirnseth thanks for the help so far :-)

Oke. I have managed to do what I wanted. I have one last question though about payouts. Why is the order_id in the vendor_payouts sql table 0? Shouldn't it correspond to an actual order from the orders sql table? I'd like to use that in order to determine if a user has access to the order. The only way I can tell that a payout is linked to a order is by the comment... which is not that good.

Sorry, I have no idea. All entries in my development DB with order_id == 0 are for payouts.

hi
did you manage to make this work and if so could you share please , I'm new but very disappointed in the lack of vendor reporting options especially concerning pay-outs/withdraws etc
Carolyn

@tbirnseth thanks for the help so far :-)

Oke. I have managed to do what I wanted. I have one last question though about payouts. Why is the order_id in the vendor_payouts sql table 0? Shouldn't it correspond to an actual order from the orders sql table? I'd like to use that in order to determine if a user has access to the order. The only way I can tell that a payout is linked to a order is by the comment... which is not that good.