Meteor method permissions fixes

[aldeed]

Impact: minor
Type: bugfix

Issue

• "discounts/deleteRate" method did not prevent you from deleting a discount code belonging to another shop as long as you had permission for your own shop.
• "discounts/editCode" method did not prevent you from editing a discount code belonging to another shop as long as you had permission for your own shop. Additionally, it checked "discount-codes" permission while other methods checked "discounts" permission.
• "discounts/addCode" method checked "discount-codes" permission while other methods checked "discounts" permission.
• "discounts/editRate" method was unused.
• "discounts/setRate" method was unused.
• "taxes/deleteRate" method did not prevent you from deleting a tax rate belonging to another shop as long as you had permission for your own shop.
• "taxes/editRate" method did not prevent you from editing a tax rate belonging to another shop as long as you had permission for your own shop.
• "discounts/codes/apply" method allowed anyone to attach a discount code to a cart as long as they had enough information
• "discounts/codes/remove" method allowed anyone to remove a discount code from a cart as long as they had enough information
• "emails/retryFailed" method would allow you to trigger retry of a failed email if you had "reaction-email" permission for any shop.
• The "shipping/rates/*" methods were listed as deleted in the 2.0 RC1 release notes, but for some reason they're back, but still unused.

Solution

• "discounts/deleteRate" method is renamed to "discounts/deleteCode" and now ensures that you can't remove a discount owned by another shop
• "discounts/editCode" method now checks "discounts" rather than "discount-codes" permission and ensures that you can't remove a discount owned by another shop
• "discounts/addCode" method now checks "discounts" rather than "discount-codes" permission
• "discounts/editRate" method is removed
• "discounts/setRate" method is removed
• "taxes/deleteRate" method now ensures that you can't remove a tax rate owned by another shop
• "taxes/editRate" method now ensures that you can't edit a tax rate owned by another shop
• "discounts/codes/apply" method now requires that you are the cart owner or pass a token for an anonymous cart, or that you have "discounts" permission for the cart shop
• "discounts/codes/remove" method now requires that you are the cart owner or pass a token for an anonymous cart, or that you have "discounts" permission for the cart shop
• "emails/retryFailed" method will allow you to trigger retry of a failed email if you have "reaction-email" permission for the primary shop.
• The "shipping/rates/*" methods are deleted again

Breaking changes

Custom code that relies on the removed Meteor methods must be rewritten.

Testing

1. Verify the described permission changes
2. Ensure that you're still able to add, edit, and delete discount codes and tax rates as an admin.
3. Verify that you can still add and remove a discount code during checkout when logged in as non-admin and when not logged in.

[kieckhafer]

👍

[kieckhafer]

Verified all changes, code looks good 👍