[5.x]: Implement "View Users" Permission to Allow Viewing Craft Customer Details Without Edit Rights

[romainpoirier]

What happened?

Description

In Craft Commerce, when a user without the "Edit users" permission views an order in the control panel (/admin/commerce/orders/{id}) and clicks the "View customer" link under the "Client" section, a 403 Forbidden error occurs. This limitation prevents certain user groups from accessing customer details, including custom fields and personal preferences, without granting them full user editing capabilities.

This issue was discussed in craftcms/commerce#3732, where it was suggested to create a feature request for adding a "View users" permission in Craft CMS.

Steps to reproduce

1. Assign a user to a group without the "Edit users" permission.
2. Log in to the control panel with this user account.
3. Navigate to an order detail page (/admin/commerce/orders/{id}).
4. Click on the "View customer" link under the "Client" section.

Expected behavior

The user should be able to view customer details, including custom fields and personal preferences, without encountering a 403 Forbidden error, while still lacking the ability to edit user information.

Actual behavior

Clicking the "View customer" link results in a 403 Forbidden error, preventing the user from viewing customer details.

Additional context

Introducing a "View users" permission in Craft CMS would allow specific user groups to access customer details without granting full editing rights. This enhancement would enable administrators to provide necessary access to customer information for certain roles without compromising security or granting excessive permissions.

Craft CMS version

5.4.9

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

[lukeholder]

Craft 5.6 introduced a new “View users” user permission!

https://craftcms.com/docs/5.x/system/user-management.html#permissions