[Discounts] Discount policies (#2771)

* Permissions

* Build fixes

* Fixed links

* Fixed last links

* Removed link

* Apply suggestions from code review

Co-authored-by: julitafalcondusza <[email protected]>

---------

Co-authored-by: julitafalcondusza <[email protected]>

Author: mnocon

docs/administration/recent_activity/recent_activity.md

@@ -43,7 +43,7 @@ For every exact hour, the cronjob line is:
 ## Permission and security
 
 The [`activity_log/read`](policies.md#activity-log) policy gives a role the access to the **Admin** -> **Activity list**, the dashboard's **Recent activity** block, and the user profile's **Recent activity**.
-It can be limited to "Only own logs" ([`ActivityLogOwner`](limitation_reference.md#activitylogowner-limitation)).
+It can be limited to "Only own logs" ([`ActivityLogOwner`](limitation_reference.md#activity-log-owner-limitation)).
 
 The policy should be given to every roles having access to the back office, at least with the `ActivityLogOwner` owner limitation, to allow them to use the "Recent activity" block in the [default dashboard](configure_default_dashboard.md) or their [custom dashboard](customize_dashboard.md).
 This policy is required to view [activity log in user profile]([[= user_doc =]]/getting_started/get_started/#view-and-edit-user-profile), if [profile is enabled](update_from_4.5.md#user-profile).

docs/permissions/limitation_reference.md

@@ -33,17 +33,17 @@ Out of the box FunctionList uses it in the following way:
             - {name: ibexa.permissions.limitation_type, alias: FunctionList}
 ```
 
-## ActivityLogOwner limitation
+## Activity log Owner limitation
 
-The `ActivityLogOwner` limitation specifies if a user can see only their own [recent activity](recent_activity.md) log entries, and not entries from other users.
+The Activity log Owner (`ActivityLogOwner`) limitation specifies if a user can see only their own [recent activity](recent_activity.md) log entries, and not entries from other users.
 
 | Value | UI value        | Description                                                  |
 |-------|-----------------|--------------------------------------------------------------|
 | `1`   | "Only own logs" | Current user can only access their own activity log entries. |
 
-## CartOwner limitation
+## Cart Owner limitation
 
-The `CartOwner` limitation specifies whether the user can modify a cart.
+The Cart Owner (`CartOwner`) limitation specifies whether the user can modify a cart.
 
 ### Possible values
 
@@ -62,6 +62,16 @@ The Change Owner (`ChangeOwner`) limitation specifies whether the user can chang
 |------|------|------|
 |`1`|"Forbid"|The user cannot change owner of a content item|
 
+## Discount Owner limitation [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]]
+
+The Discount Owner (`DiscountOwner`) limitation specifies whether the user can interact with a [discount](discounts.md).
+
+### Possible values
+
+|Value|UI value|Description|
+|------|------|------|
+|"self"|"self"|Only the user who is the owner of the discount gets access.|
+
 ## Content type Group limitation
 
 The Content Type Group (`UserGroup`) limitation specifies that only users with at least one common *direct* user group with the owner of content get the selected access right.

docs/permissions/permission_use_cases.md

@@ -269,6 +269,22 @@ Set the following permissions to decide what actions are available when users in
 - `checkout/update` - to allow users to modify existing information, for example item quantity
 - `checkout/delete` - to delete checkout
 
+### Discount management [[% include 'snippets/lts-update_badge.md' %]]
+
+Set the following permissions to decide what actions are available when users interact with [discounts](discounts.md) in the back office:
+
+- `discount/create` - to allow the user to create a new discount
+- `discount/update` - to allow the user to change the parameters of an existing discount
+- `discount/view` - to allow the user to view discounts data
+- `discount/delete` - to delete an existing discount
+- `discount/enable` - to allow the user to enable an existing discount
+- `discount/disable` - to allow the user to disable an existing discount
+
+To further control access to a discount, you can use the `DiscountOwner` limitation and set its value to `self`.
+This way users can only interact with their own discounts.
+
+Store users do not need any permissions to use discounts in the buying process.
+
 ### Order management
 
 Set the following permissions to decide what actions are available when users interact with orders:

docs/permissions/policies.md

@@ -27,9 +27,9 @@ Each role you assign to user or user group consists of policies which define, wh
 
 | Module                       | Function           | Effect               | Possible Limitations                                                    |
 |------------------------------|--------------------|----------------------|-------------------------------------------------------------------------|
-| <nobr>`activity_log`</nobr> | <nobr>`read`</nobr> | access activity list | [ActivityLogOwner](limitation_reference.md#activitylogowner-limitation) |
+| <nobr>`activity_log`</nobr> | <nobr>`read`</nobr> | access activity list | [ActivityLogOwner](limitation_reference.md#activity-log-owner-limitation) |
 
-#### AI actions
+#### AI actions [[% include 'snippets/lts-update_badge.md' %]]
 
 | Module                              | Function               | Effect                 | Possible Limitations |
 |-------------------------------------|------------------------|------------------------|----------------------|
@@ -103,10 +103,10 @@ Each role you assign to user or user group consists of policies which define, wh
 
 | Module              | Function              | Effect                                                              | Possible limitations                                      |
 |---------------------|-----------------------|---------------------------------------------------------------------|-----------------------------------------------------------|
-| <nobr>`cart`</nobr> | <nobr>`create`</nobr> | create a cart                                                       | [CartOwner](limitation_reference.md#cartowner-limitation) |
-|                     | <nobr>`delete`</nobr> | delete cart, for example, after successful checkout                 | [CartOwner](limitation_reference.md#cartowner-limitation) |
-|                     | <nobr>`edit`</nobr>   | change cart metadata (name, currency, owner), add/remove cart items | [CartOwner](limitation_reference.md#cartowner-limitation) |
-|                     | <nobr>`view`</nobr>   | view a cart                                                         | [CartOwner](limitation_reference.md#cartowner-limitation) |
+| <nobr>`cart`</nobr> | <nobr>`create`</nobr> | create a cart                                                       | [CartOwner](limitation_reference.md#cart-owner-limitation) |
+|                     | <nobr>`delete`</nobr> | delete cart, for example, after successful checkout                 | [CartOwner](limitation_reference.md#cart-owner-limitation) |
+|                     | <nobr>`edit`</nobr>   | change cart metadata (name, currency, owner), add/remove cart items | [CartOwner](limitation_reference.md#cart-owner-limitation) |
+|                     | <nobr>`view`</nobr>   | view a cart                                                         | [CartOwner](limitation_reference.md#cart-owner-limitation) |
 
 #### Checkout [[% include 'snippets/commerce_badge.md' %]]
 
@@ -124,6 +124,25 @@ Each role you assign to user or user group consists of policies which define, wh
 | <nobr>`commerce`</nobr> | <nobr>`currency`</nobr> | manage currencies |
 |                         | <nobr>`region`</nobr>   | manage regions    |
 
+#### Discounts [[% include 'snippets/lts-update_badge.md' %]] [[% include 'snippets/commerce_badge.md' %]]
+
+The discount policies decide which actions can be executed by given user or user group.
+
+!!! caution "Customers and discount policies"
+
+    Customers don't need any policies to use the discounts on the [storefront](storefront.md).
+    Even the `discount/view` policy would allow them to access all the discount details, including the coupon codes to activate them, which could lead to system abuse.
+
+
+| Module               | Function                 | Effect                      | Possible limitations                                         |
+|----------------------|--------------------------|-----------------------------|----------------------------------------------------|
+| <nobr>`discount`</nobr> | <nobr>`create`</nobr> | create a discount           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`update`</nobr>    | modify discount parameters           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`view`</nobr>      | view discounts (including its details)              | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`delete`</nobr>    | delete a discount           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`enable`</nobr>    | enable a discount           | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+|                      | <nobr>`disable`</nobr>   | disable a discount          | [DiscountOwner](limitation_reference.md#discount-owner-limitation) |
+
 #### Orders [[% include 'snippets/commerce_badge.md' %]]
 
 | Module               | Function              | Effect                    | Possible limitations                                         |