solidusio
[ADMIN] new order button permissions
In the admin area, we changed the permission check for being able to create a blank new order (i.e. show the new order button) from :create to :manage.
The underlying problem that was exposed here is caused by the fact that we automatically add the DefaultCustomer permission set to each user, and this permission set includes the can :create, Spree::Order directive.
In order to avoid always showing the new order button all the time, we switched to :manage, but there may be situations where a more granular level of permissions is needed, i.e. have backend users that can create new orders, but cannot fully manage them.
Also, the current solution seems a bit hacky to me, since if there are situations where a user should not be able to create an order, these should be guarded by the :create permission.
I'm not 100% sure about what would be the best approach here, but a possible solution may be to change the DefaultCustomer directive in order to allow order creation only when the order's user is the ability's user or when the order is a guest checkout order, so we can eventually revert to can? :create when showing the new order button in the admin.
