Paypal Express versus admin profiles

[peterdd]

I have a store with 1.5.1 and Paypal Express configured. Both are working as they should.

In configuring admin profiles I want to limit access to the giving out of refunds - but this does not appear a possibility within the present package. Paypal IPN is included as an optional access in admin profiles but ticking that box makes no difference to whether a user can do refunds.

In other words, I want everyone to see the Paypal transaction is authorised (or not) in orders but only the chosen few to be able to actually press the repay button. This division of responsibilities would appear to be entirely within the spirit of admin profiles and PCI compliance.

Any help appreciated.

Thanks

[kobra]

Breaking down access to specific portions of elements would require additional custom code

PayPal has nothing to do with PCI compliance

[DrByte]

The PayPal IPN menu option you mention is simply the item on the Customers->PayPal IPN menu which shows you information about notifications received from Paypal indicating that transactions have happened.

As kobra said, the menu controls presently only control access "to the page", not to its individual parts.

[peterdd]

The PayPal IPN menu option you mention is simply the item on the Customers->PayPal IPN menu which shows you information about notifications received from Paypal indicating that transactions have happened.

As kobra said, the menu controls presently only control access "to the page", not to its individual parts.

Thanks for the speedy update. To be able to split these elements does seem sensible - thus limiting 'who can do what' - in line with Admin Profiles. It seems odd that I can limit who sees a report but if someone handles sales in any way they can also refund Paypal receipts, literally at the press of a button.

Anybody got any pointers as to how separating out the refund portion might be achieved? What would need to be done?

[DrByte]

Anybody got any pointers as to how separating out the refund portion might be achieved? What would need to be done?

Ya; it's a pretty huge job:
a) write a bunch of additional infrastructure for identifying miniscule sections of pages and storing info about those sections in the database
b) build all the logic in every admin page to link each of those sections to display blocks
c) build logic to lookup permissions for each section, ensuring that you don't blow out database queries by doing excessive additional lookups all over the page
d) build a UI to allow control over every one of those things including what actions to take if permission is denied
e) build in security protections to ensure there's no way to "trick" the system into doing the unauthorized things if attempted covertly
f) rewrite all admin-connected plugins to support all the extensive changes made to admin pages, both core and non-core
and so on