From 2c898940f9d3019ec22a2f2978e3261d0b707aaf Mon Sep 17 00:00:00 2001
From: Iwona Just <iwona@pixelandtonic.com>
Date: Tue, 26 Nov 2024 08:27:31 +0000
Subject: [PATCH 1/5] additional permissions checks

---
 src/Plugin.php                          | 2 +-
 src/controllers/CustomersController.php | 2 ++
 src/elements/Subscription.php           | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/Plugin.php b/src/Plugin.php
index 6ba93ec..0a9eba2 100644
--- a/src/Plugin.php
+++ b/src/Plugin.php
@@ -577,7 +577,7 @@ private function registerUserActions(): void
             Element::EVENT_DEFINE_ACTION_MENU_ITEMS,
             function(DefineMenuItemsEvent $event) {
                 $sender = $event->sender;
-                if ($email = $sender->email) {
+                if ($email = $sender->email && Craft::$app->getUser()->checkPermission('accessPlugin-stripe')) {
                     $customers = Plugin::getInstance()->getApi()->fetchAllCustomers(['email' => $email]);
                     if ($customers) {
                         $stripeIds = collect($customers)->pluck('id');
diff --git a/src/controllers/CustomersController.php b/src/controllers/CustomersController.php
index f7094e2..d0d1cf2 100644
--- a/src/controllers/CustomersController.php
+++ b/src/controllers/CustomersController.php
@@ -7,6 +7,7 @@
 
 namespace craft\stripe\controllers;
 
+use Craft;
 use craft\controllers\EditUserTrait;
 use craft\elements\User;
 use craft\helpers\Cp;
@@ -56,6 +57,7 @@ public function actionIndex(?int $userId = null): Response
             'context' => 'embedded-index',
             'jsSettings' => [
                 'criteria' => ['userId' => $user->id],
+                'static' => !Craft::$app->getUser()->checkPermission('editUsers'),
             ],
         ]);
 
diff --git a/src/elements/Subscription.php b/src/elements/Subscription.php
index 715c095..924819e 100644
--- a/src/elements/Subscription.php
+++ b/src/elements/Subscription.php
@@ -410,7 +410,7 @@ protected static function defineDefaultCardAttributes(): array
      */
     public function canView(User $user): bool
     {
-        return true;
+        return parent::canView($user) || $user->can('accessPlugin-stripe');
     }
 
     /**

From 1309615ad06ac858a695cd010f7ff34e2cb1212b Mon Sep 17 00:00:00 2001
From: Iwona Just <iwona@pixelandtonic.com>
Date: Tue, 26 Nov 2024 08:48:52 +0000
Subject: [PATCH 2/5] don't allow to sort by link

---
 src/elements/Product.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/elements/Product.php b/src/elements/Product.php
index acc7aea..365fc94 100644
--- a/src/elements/Product.php
+++ b/src/elements/Product.php
@@ -293,6 +293,7 @@ protected static function defineSortOptions(): array
         $sortOptions = parent::defineSortOptions();
 
         unset($sortOptions['stripeEdit']);
+        unset($sortOptions['link']);
 
         $sortOptions['title'] = self::displayName();
 

From e753478baf4eb06ab5a5a5136dd11516cd00b0a2 Mon Sep 17 00:00:00 2001
From: Iwona Just <iwona@pixelandtonic.com>
Date: Tue, 26 Nov 2024 08:54:59 +0000
Subject: [PATCH 3/5] updated changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 03b3cc3..c104ef7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Stripe
 
+## Unreleased
+
+- Fixed a bug where the products index page gave impression that it was possible to sort by Link. ([#59](https://github.com/craftcms/stripe/issues/59))
+
 ## 1.3.0 - 2024-11-19
 
 - Stripe now requires Craft CMS 5.5.0 or later.

From 323710d687b0bc4bb42066a921a7d912749fa3a9 Mon Sep 17 00:00:00 2001
From: Iwona Just <iwona@pixelandtonic.com>
Date: Tue, 26 Nov 2024 09:12:01 +0000
Subject: [PATCH 4/5] updated changelog

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 03b3cc3..11d5351 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Release Notes for Stripe
 
+## Unreleased
+
+- Fixed a bug where, in certain cases, it was possible to access a Subscription element in a slideout without having permission to access the Stripe plugin. ([#61](https://github.com/craftcms/stripe/pull/61))
+- Fixed a bug where the “Sync from Stripe” user menu item was shown even if user didn't permission to access the Stripe plugin. ([#61](https://github.com/craftcms/stripe/pull/61)) 
+
 ## 1.3.0 - 2024-11-19
 
 - Stripe now requires Craft CMS 5.5.0 or later.

From b6a4d02b1430e09948bfb4af7c51f649903ffdf8 Mon Sep 17 00:00:00 2001
From: Iwona Just <iwona@pixelandtonic.com>
Date: Wed, 27 Nov 2024 07:49:27 +0000
Subject: [PATCH 5/5] prettier

---
 CHANGELOG.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e221a11..100acd4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,6 @@
 - Fixed a bug where, in certain cases, it was possible to access a Subscription element in a slideout without having permission to access the Stripe plugin. ([#61](https://github.com/craftcms/stripe/pull/61))
 - Fixed a bug where the “Sync from Stripe” user menu item was shown even if user didn't permission to access the Stripe plugin. ([#61](https://github.com/craftcms/stripe/pull/61))
 
-
 ## 1.3.0 - 2024-11-19
 
 - Stripe now requires Craft CMS 5.5.0 or later.