Permissions

mnocon · mnocon · commit f25fae034c12 · 2025-06-05T12:49:56.000+02:00
diff --git a/docs/permissions/limitation_reference.md b/docs/permissions/limitation_reference.md
@@ -41,9 +41,9 @@ The `ActivityLogOwner` limitation specifies if a user can see only their own [re
 |-------|-----------------|--------------------------------------------------------------|
 | `1`   | "Only own logs" | Current user can only access their own activity log entries. |
 
-## CartOwner limitation
+## Cart Owner limitation
 
-The `CartOwner` limitation specifies whether the user can modify a cart.
+The Cart Owner `CartOwner` limitation specifies whether the user can modify a cart.
 
 ### Possible values
 
@@ -62,6 +62,16 @@ The Change Owner (`ChangeOwner`) limitation specifies whether the user can chang
 |------|------|------|
 |`1`|"Forbid"|The user cannot change owner of a content item|
 
+## Discount Owner limitation [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]]
+
+The Discount Owner [`DiscountOwner`] limitation specifies whether the user can interact with a [discount](discounts.md).
+
+### Possible values
+
+|Value|UI value|Description|
+|------|------|------|
+|"self"|"self"|Only the user who is the owner of the discount gets access.|
+
 ## Content type Group limitation
 
 The Content Type Group (`UserGroup`) limitation specifies that only users with at least one common *direct* user group with the owner of content get the selected access right.
diff --git a/docs/permissions/permission_use_cases.md b/docs/permissions/permission_use_cases.md
@@ -269,6 +269,22 @@ Set the following permissions to decide what actions are available when users in
 - `checkout/update` - to allow users to modify existing information, for example item quantity
 - `checkout/delete` - to delete checkout
 
+### Discount management [[% include 'snippets/lts-update_badge.md' %]]
+
+Set the following permissions to decide what actions are available when users interact with [discounts](discounts.md) in the back office:
+
+- `discount/create` - to allow the user to create a new discount
+- `discount/update` - to allow the user to change the parameters of an existing discount
+- `discount/view` - to allow the user to view discounts data
+- `discount/delete` - to delete an existing discount
+- `discount/enable` - to allow the user to enable an existing discount
+- `discount/disable` - to allow the user to disable an existing discount
+
+To further control access to a discount, you can use the `DiscountOwner` limitation and set its value to `self`.
+This way users can only interact with their own discounts.
+
+Store users do not need any permissions to use discounts in the buying process.
+
 ### Order management
 
 Set the following permissions to decide what actions are available when users interact with orders:
diff --git a/docs/permissions/policies.md b/docs/permissions/policies.md
@@ -29,7 +29,7 @@ Each role you assign to user or user group consists of policies which define, wh
 |------------------------------|--------------------|----------------------|-------------------------------------------------------------------------|
 | <nobr>`activity_log`</nobr> | <nobr>`read`</nobr> | access activity list | [ActivityLogOwner](limitation_reference.md#activitylogowner-limitation) |
 
-#### AI actions
+#### AI actions [[% include 'snippets/lts-update_badge.md' %]]
 
 | Module                              | Function               | Effect                 | Possible Limitations |
 |-------------------------------------|------------------------|------------------------|----------------------|
@@ -124,6 +124,25 @@ Each role you assign to user or user group consists of policies which define, wh
 | <nobr>`commerce`</nobr> | <nobr>`currency`</nobr> | manage currencies |
 |                         | <nobr>`region`</nobr>   | manage regions    |
 
+#### Discounts [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]]
+
+The discount policies decide which actions can be executed by given user or user group.
+
+!!! caution "Customers and discount policies"
+
+    Customers do not need any policies to use the discounts on the [storefront](storefront.md).
+    Even the `discount/view` policy would allow them to access all the discount details, including the coupon codes to activate them, which could lead to system abuse.
+
+
+| Module               | Function                 | Effect                      | Possible limitations                                         |
+|----------------------|--------------------------|-----------------------------|----------------------------------------------------|
+| <nobr>`discount`</nobr> | <nobr>`create`</nobr> | create a discount           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`update`</nobr>    | modify discount parameters           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`view`</nobr>      | view discounts (including its details)              | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`delete`</nobr>    | delete a discount           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`enable`</nobr>    | enable a discount           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`disable`</nobr>   | disable a discount          | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+
 #### Orders [[% include 'snippets/commerce_badge.md' %]]
 
 | Module               | Function              | Effect                    | Possible limitations                                         |
