refactor: expanded product admin permissions

[kieckhafer]

Impact: major
Type: feature

Issue

We currently use the createProduct as a catch-all for any product related admin action. All users should not have permission to do all things with a product.

Solution

Granulate permissions so that different users can perform different tasks, and not have all permissions on product admin.

• To keep backwards compatibility, we are keeping the createProduct permission as is, so any existing user groups with createRefund permission are not affected.
• We've added a new product/admin permission in all places where createProduct is used. This will provide forward capability to use this permission as a catch-all / super-admin with a better descriptive name.
• We've also added five new permissions that are added in addition to product/admin in places where deemed appropriate: product/archive, product/clone, product/create, product/publish, and product/update.

Thoughts for discussion

• product/clone and product/create probably could be merged, if that's seen as a better fit, however I can imagine instances where a user should only be allowed to clone a variant, not create a whole new product.
• We could potentially remove createProduct and swap it for product/admin, instead of just adding product/admin in addition, but this would be a breaking change, and should probably be better addressed in an entire permissions overhaul, rather than this.

Breaking changes

None. We keep our existing createProduct permission as is. All new permissions are In addition to createProduct.

Testing

1. Invite a new user to a non-full-admin group (ex. shop manager)
2. Turn off the createProduct permission (called Add product in our UI), which is the main products permission for the entire app

1. Turn on Product Admin permission in the new section
2. See that you can perform all Product related updates / deletions / etc, nothing should be different
3. Turn off Product Admin
4. Turn on all permissions, except, Archive Product. See that the archive button is missing from the actions dropdown
5. Turn of Clone Product, and see that Duplicate is missing from the dropdown
6. Turn off Create product and see that + is missing from the variant / option list

Note: You must have either product/admin, product/update, or createProduct permission in order to even see a product page. If none of those are active, you'll see a blank page / error. This is consistent with the current app.

[aldeed]

Didn't test, but code 👍

[kieckhafer]

@aldeed thanks! @bt3gl could you please do the UI testing portion of this?

[von-steinkirch]

@kieckhafer On it

[machikoyasuda]

I'm trying to test this PR locally cos Mia was having trouble.

I got up to the part where I made a new Store Manager w/ the updated Product Admin permissions... and then I tried to log out, by clicking the corner menu button and Log Out. But it immediately logged me back in. I tried opening the site in Safari, Firefox, Chrome, even Vivaldi, but same deal. I then manually deleted all my Session cookies. Now I'm stuck in this Zombie mode, where I cannot access the login / log out buttons at all.

Sooo @kieckhafer What's the trick to logging into several different Admin w/ different Users? Use different browsers? Use different browsers, in Incognito mode? Manually delete session cookies?

[von-steinkirch]

As @machikoyasuda mention, I was never able to fully test this because any time I try to turn anything on/off, I get the error below. Independent of selecting "Shop Manager" or no. No errors appear on logs, so I have no idea how to debug this.

[machikoyasuda]

I tested the UI on this and it works for me 👍