Permissions problems in Virtuemart 3.0.9 + Joomla 3.4.1

[mgworld]

I would say it you describe it now a lot more detailed. All what I did is to decide, that as long we do not have an ACL for publishing, it makes sense to show the publish/unpublish when you have the right to edit. The ACL system is something which will be enhanced slowly.

Ok, so I think it would make sense to implement another permission rule to "Create/delete Taxes & Calculation Rules", in addition to the "Edit Taxes and Calculation Rules".

In the "Orders" section, the user "shop" doesn't see the Delete button.

This is correct, only superadmins are meant todo that. Actually, you should avoid it anyway, it is not really legal, better is to use the "cancelled" state.

Ok.
 

In the "Coupons" section the user "shop" sees only the Help button.

I fear there is no ACL yet

Ok... In the meanwhile I think it should be better that the buttons to create/edit/delete coupons should be available for all the users that have the "Coupons" permission allowed, being that it doesn't make much sense that my "shop" user can see existing coupons but cannot create new ones.

The user "shop" sees the "Shop" menu, but it should not see it, beting that I set "not allowed" in the Calculated Setting of Global Configuration for its group.

He can see the shop menu, but should not be able to change the config.

Yes, I confirm he can see the menu but cannot change the config... Anyway I would prefer he could not see that menu at all (being that I selected "not allowed" in the relative permission settings).

In the "Media Files" option under "SHOP" section, the user "shop" can see only the HELP button.

Check the settings.

Ok, you are right, this time I set "allowed" to the following rules in the Shop tab of the permission settings screen:
- Media Files
- Create
- Delete
- Edit
- Shipment Methods
- Payment Methods

Now, in the Media Files section, the user "shop" can see all the buttons in the top bar... Unfortunately this is not the case for "Shipment Methods" and "Payment Methods" (the "shop" user can see only "Clone payment" and "Help" buttons).

[mgworld]

Another bug (I think) is the impossibility to save changes to other shoppers data, even though I set "allowed" to the permission "Edit users". This problem is described in here too: http://forum.virtuemart.net/index.php?topic=124536.15

As I described there, I modded the file 

  **yourJoomlaPath**/administrator/components/com_virtuemart/tables/userinfos.php

I replaced the line 104 with this one:

   if(!$user->authorise('core.admin','com_virtuemart') && !$user->authorise('vm.user.edit','com_virtuemart')){
         
with this mod, if an user has the permission "EDIT USERS" allowed, now he can save the changes in the backend even if he is not a SuperUser.

Do you think this problem could be fixed in the next release of VM, or should I apply this mod manually after each VM upgrade? This fix is necessary to me because I created a special user (not superuser) that can access only to a selected group of VM backend options... For example he should be able to assign a different shopper group to a shopper, and without the fix he could do this only if it was a superuser.

EDIT: I forgot to mention that for this to work the user has to be in the EDITOR user group too (but I don't know why...).