From 4ea17ed9b045fa4851994a1050d7f11f3ad07585 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Wed, 4 Jun 2025 17:09:33 +0200 Subject: [PATCH 1/6] Permissions --- docs/permissions/limitation_reference.md | 14 ++++++++++++-- docs/permissions/permission_use_cases.md | 16 ++++++++++++++++ docs/permissions/policies.md | 21 ++++++++++++++++++++- 3 files changed, 48 insertions(+), 3 deletions(-) diff --git a/docs/permissions/limitation_reference.md b/docs/permissions/limitation_reference.md index 40bcc538fa..c39880a96d 100644 --- a/docs/permissions/limitation_reference.md +++ b/docs/permissions/limitation_reference.md @@ -41,9 +41,9 @@ The `ActivityLogOwner` limitation specifies if a user can see only their own [re |-------|-----------------|--------------------------------------------------------------| | `1` | "Only own logs" | Current user can only access their own activity log entries. | -## CartOwner limitation +## Cart Owner limitation -The `CartOwner` limitation specifies whether the user can modify a cart. +The Cart Owner `CartOwner` limitation specifies whether the user can modify a cart. ### Possible values @@ -62,6 +62,16 @@ The Change Owner (`ChangeOwner`) limitation specifies whether the user can chang |------|------|------| |`1`|"Forbid"|The user cannot change owner of a content item| +## Discount Owner limitation [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]] + +The Discount Owner [`DiscountOwner`] limitation specifies whether the user can interact with a [discount](discounts.md). + +### Possible values + +|Value|UI value|Description| +|------|------|------| +|"self"|"self"|Only the user who is the owner of the discount gets access.| + ## Content type Group limitation The Content Type Group (`UserGroup`) limitation specifies that only users with at least one common *direct* user group with the owner of content get the selected access right. diff --git a/docs/permissions/permission_use_cases.md b/docs/permissions/permission_use_cases.md index cd043357de..73b34f390f 100644 --- a/docs/permissions/permission_use_cases.md +++ b/docs/permissions/permission_use_cases.md @@ -269,6 +269,22 @@ Set the following permissions to decide what actions are available when users in - `checkout/update` - to allow users to modify existing information, for example item quantity - `checkout/delete` - to delete checkout +### Discount management [[% include 'snippets/lts-update_badge.md' %]] + +Set the following permissions to decide what actions are available when users interact with [discounts](discounts.md) in the back office: + +- `discount/create` - to allow the user to create a new discount +- `discount/update` - to allow the user to change the parameters of an existing discount +- `discount/view` - to allow the user to view discounts data +- `discount/delete` - to delete an existing discount +- `discount/enable` - to allow the user to enable an existing discount +- `discount/disable` - to allow the user to disable an existing discount + +To further control access to a discount, you can use the `DiscountOwner` limitation and set its value to `self`. +This way users can only interact with their own discounts. + +Store users do not need any permissions to use discounts in the buying process. + ### Order management Set the following permissions to decide what actions are available when users interact with orders: diff --git a/docs/permissions/policies.md b/docs/permissions/policies.md index d7ab811549..3ff6aefe80 100644 --- a/docs/permissions/policies.md +++ b/docs/permissions/policies.md @@ -29,7 +29,7 @@ Each role you assign to user or user group consists of policies which define, wh |------------------------------|--------------------|----------------------|-------------------------------------------------------------------------| | `activity_log` | `read` | access activity list | [ActivityLogOwner](limitation_reference.md#activitylogowner-limitation) | -#### AI actions +#### AI actions [[% include 'snippets/lts-update_badge.md' %]] | Module | Function | Effect | Possible Limitations | |-------------------------------------|------------------------|------------------------|----------------------| @@ -124,6 +124,25 @@ Each role you assign to user or user group consists of policies which define, wh | `commerce` | `currency` | manage currencies | | | `region` | manage regions | +#### Discounts [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]] + +The discount policies decide which actions can be executed by given user or user group. + +!!! caution "Customers and discount policies" + + Customers do not need any policies to use the discounts on the [storefront](storefront.md). + Even the `discount/view` policy would allow them to access all the discount details, including the coupon codes to activate them, which could lead to system abuse. + + +| Module | Function | Effect | Possible limitations | +|----------------------|--------------------------|-----------------------------|----------------------------------------------------| +| `discount` | `create` | create a discount | [DiscountOwner](limitation_reference.md#discount-owner-limitation) | +| | `update` | modify discount parameters | [DiscountOwner](limitation_reference.md#discount-owner-limitation) | +| | `view` | view discounts (including its details) | [DiscountOwner](limitation_reference.md#discount-owner-limitation) | +| | `delete` | delete a discount | [DiscountOwner](limitation_reference.md#discount-owner-limitation) | +| | `enable` | enable a discount | [DiscountOwner](limitation_reference.md#discount-owner-limitation) | +| | `disable` | disable a discount | [DiscountOwner](limitation_reference.md#discount-owner-limitation) | + #### Orders [[% include 'snippets/commerce_badge.md' %]] | Module | Function | Effect | Possible limitations | From 8f453c82eb3e9acb115ea59666131f8e476fc072 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 5 Jun 2025 13:03:06 +0200 Subject: [PATCH 2/6] Build fixes --- docs/permissions/limitation_reference.md | 2 +- docs/permissions/policies.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/permissions/limitation_reference.md b/docs/permissions/limitation_reference.md index c39880a96d..092e20cf3c 100644 --- a/docs/permissions/limitation_reference.md +++ b/docs/permissions/limitation_reference.md @@ -33,7 +33,7 @@ Out of the box FunctionList uses it in the following way: - {name: ibexa.permissions.limitation_type, alias: FunctionList} ``` -## ActivityLogOwner limitation +## ActivityLog Owner limitation The `ActivityLogOwner` limitation specifies if a user can see only their own [recent activity](recent_activity.md) log entries, and not entries from other users. diff --git a/docs/permissions/policies.md b/docs/permissions/policies.md index 3ff6aefe80..c25792bfd7 100644 --- a/docs/permissions/policies.md +++ b/docs/permissions/policies.md @@ -103,10 +103,10 @@ Each role you assign to user or user group consists of policies which define, wh | Module | Function | Effect | Possible limitations | |---------------------|-----------------------|---------------------------------------------------------------------|-----------------------------------------------------------| -| `cart` | `create` | create a cart | [CartOwner](limitation_reference.md#cartowner-limitation) | -| | `delete` | delete cart, for example, after successful checkout | [CartOwner](limitation_reference.md#cartowner-limitation) | -| | `edit` | change cart metadata (name, currency, owner), add/remove cart items | [CartOwner](limitation_reference.md#cartowner-limitation) | -| | `view` | view a cart | [CartOwner](limitation_reference.md#cartowner-limitation) | +| `cart` | `create` | create a cart | [CartOwner](limitation_reference.md#cart-owner-limitation) | +| | `delete` | delete cart, for example, after successful checkout | [CartOwner](limitation_reference.md#cart-owner-limitation) | +| | `edit` | change cart metadata (name, currency, owner), add/remove cart items | [CartOwner](limitation_reference.md#cart-owner-limitation) | +| | `view` | view a cart | [CartOwner](limitation_reference.md#cart-owner-limitation) | #### Checkout [[% include 'snippets/commerce_badge.md' %]] From 02cd1961851d696c5c58b30ed0a4601f127242e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Mon, 9 Jun 2025 11:32:06 +0200 Subject: [PATCH 3/6] Fixed links --- docs/administration/recent_activity/recent_activity.md | 2 +- docs/permissions/limitation_reference.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/administration/recent_activity/recent_activity.md b/docs/administration/recent_activity/recent_activity.md index 02e3dcd0e5..49edb242da 100644 --- a/docs/administration/recent_activity/recent_activity.md +++ b/docs/administration/recent_activity/recent_activity.md @@ -43,7 +43,7 @@ For every exact hour, the cronjob line is: ## Permission and security The [`activity_log/read`](policies.md#activity-log) policy gives a role the access to the **Admin** -> **Activity list**, the dashboard's **Recent activity** block, and the user profile's **Recent activity**. -It can be limited to "Only own logs" ([`ActivityLogOwner`](limitation_reference.md#activitylogowner-limitation)). +It can be limited to "Only own logs" ([`ActivityLogOwner`](limitation_reference.md#activity-log-owner-limitation)). The policy should be given to every roles having access to the back office, at least with the `ActivityLogOwner` owner limitation, to allow them to use the "Recent activity" block in the [default dashboard](configure_default_dashboard.md) or their [custom dashboard](customize_dashboard.md). This policy is required to view [activity log in user profile]([[= user_doc =]]/getting_started/get_started/#view-and-edit-user-profile), if [profile is enabled](update_from_4.5.md#user-profile). diff --git a/docs/permissions/limitation_reference.md b/docs/permissions/limitation_reference.md index 092e20cf3c..c4613aa247 100644 --- a/docs/permissions/limitation_reference.md +++ b/docs/permissions/limitation_reference.md @@ -33,7 +33,7 @@ Out of the box FunctionList uses it in the following way: - {name: ibexa.permissions.limitation_type, alias: FunctionList} ``` -## ActivityLog Owner limitation +## Activity log Owner limitation The `ActivityLogOwner` limitation specifies if a user can see only their own [recent activity](recent_activity.md) log entries, and not entries from other users. From 684e2eace82f094e0460fd6716b88974a9393da1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Mon, 9 Jun 2025 11:36:33 +0200 Subject: [PATCH 4/6] Fixed last links --- docs/permissions/policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/permissions/policies.md b/docs/permissions/policies.md index c25792bfd7..ebff4de51e 100644 --- a/docs/permissions/policies.md +++ b/docs/permissions/policies.md @@ -27,7 +27,7 @@ Each role you assign to user or user group consists of policies which define, wh | Module | Function | Effect | Possible Limitations | |------------------------------|--------------------|----------------------|-------------------------------------------------------------------------| -| `activity_log` | `read` | access activity list | [ActivityLogOwner](limitation_reference.md#activitylogowner-limitation) | +| `activity_log` | `read` | access activity list | [ActivityLogOwner](limitation_reference.md#activity-log-owner-limitation) | #### AI actions [[% include 'snippets/lts-update_badge.md' %]] From c3f7666405e70176e14806af64165bd9702f10cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Mon, 9 Jun 2025 12:32:11 +0200 Subject: [PATCH 5/6] Removed link --- docs/permissions/limitation_reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/permissions/limitation_reference.md b/docs/permissions/limitation_reference.md index c4613aa247..e1f9ba749c 100644 --- a/docs/permissions/limitation_reference.md +++ b/docs/permissions/limitation_reference.md @@ -64,7 +64,7 @@ The Change Owner (`ChangeOwner`) limitation specifies whether the user can chang ## Discount Owner limitation [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]] -The Discount Owner [`DiscountOwner`] limitation specifies whether the user can interact with a [discount](discounts.md). +The Discount Owner limitation specifies whether the user can interact with a [discount](discounts.md). ### Possible values From e4424b5f3b787f31b3c7aab6fe84468bece0812b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Wed, 11 Jun 2025 09:13:35 +0200 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: julitafalcondusza <117284672+julitafalcondusza@users.noreply.github.com> --- docs/permissions/limitation_reference.md | 6 +++--- docs/permissions/policies.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/permissions/limitation_reference.md b/docs/permissions/limitation_reference.md index e1f9ba749c..cc05ab5c96 100644 --- a/docs/permissions/limitation_reference.md +++ b/docs/permissions/limitation_reference.md @@ -35,7 +35,7 @@ Out of the box FunctionList uses it in the following way: ## Activity log Owner limitation -The `ActivityLogOwner` limitation specifies if a user can see only their own [recent activity](recent_activity.md) log entries, and not entries from other users. +The Activity log Owner (`ActivityLogOwner`) limitation specifies if a user can see only their own [recent activity](recent_activity.md) log entries, and not entries from other users. | Value | UI value | Description | |-------|-----------------|--------------------------------------------------------------| @@ -43,7 +43,7 @@ The `ActivityLogOwner` limitation specifies if a user can see only their own [re ## Cart Owner limitation -The Cart Owner `CartOwner` limitation specifies whether the user can modify a cart. +The Cart Owner (`CartOwner`) limitation specifies whether the user can modify a cart. ### Possible values @@ -64,7 +64,7 @@ The Change Owner (`ChangeOwner`) limitation specifies whether the user can chang ## Discount Owner limitation [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]] -The Discount Owner limitation specifies whether the user can interact with a [discount](discounts.md). +The Discount Owner (`DiscountOwner`) limitation specifies whether the user can interact with a [discount](discounts.md). ### Possible values diff --git a/docs/permissions/policies.md b/docs/permissions/policies.md index ebff4de51e..08830e444c 100644 --- a/docs/permissions/policies.md +++ b/docs/permissions/policies.md @@ -130,7 +130,7 @@ The discount policies decide which actions can be executed by given user or user !!! caution "Customers and discount policies" - Customers do not need any policies to use the discounts on the [storefront](storefront.md). + Customers don't need any policies to use the discounts on the [storefront](storefront.md). Even the `discount/view` policy would allow them to access all the discount details, including the coupon codes to activate them, which could lead to system abuse.