Move permission sets back to app/

These were already in app, but moved in
#403.

At the time of that PR, code reloading was still handled by Rails, so
let's see if we can now move them back as Zeitwerk now handles code
reloading.

core/app/models/spree/permission_sets/base.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Spree
+  module PermissionSets
+    # This is the base class used for crafting permission sets.
+    #
+    # This is used by {Spree::RoleConfiguration} when adding custom behavior to {Spree::Ability}.
+    # See one of the subclasses for example structure such as {Spree::PermissionSets::UserDisplay}
+    #
+    # @see Spree::RoleConfiguration
+    # @see Spree::PermissionSets
+    class Base
+      # @param ability [CanCan::Ability]
+      #   The ability that will be extended with the current permission set.
+      #   The ability passed in must respond to #user
+      def initialize(ability)
+        @ability = ability
+      end
+
+      # Activate permissions on the ability. Put your can and cannot statements here.
+      # Must be overridden by subclasses
+      def activate!
+        raise NotImplementedError.new
+      end
+
+      # Provide the permission set privilege in the form of a :symbol.
+      # Must be overridden by subclasses.
+      def self.privilege
+        raise NotImplementedError, "Subclass #{name} must define a privilege using `self.privilege :symbol`"
+      end
+
+      # Provide the permission set category in the form of a :symbol.
+      # Must be overridden by subclasses.
+      def self.category
+        raise NotImplementedError, "Subclass #{name} must define a category using `self.category :symbol`"
+      end
+
+      private
+
+      attr_reader :ability
+      delegate :can, :cannot, :user, to: :ability
+    end
+  end
+end

core/app/models/spree/permission_sets/configuration_display.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Spree
+  module PermissionSets
+    # Read-only permissions for e-commerce settings.
+    #
+    # Roles with this permission will be able to view information, also from the admin
+    # panel, about:
+    #
+    # - Tax categories
+    # - Tax rates
+    # - Zones
+    # - Countries
+    # - States
+    # - Payment methods
+    # - Taxonomies
+    # - Shipping methods
+    # - Shipping categories
+    # - Stock locations
+    # - Stock movements
+    # - Refund reasons
+    # - Reimbursement types
+    # - Return reasons
+    class ConfigurationDisplay < PermissionSets::Base
+      class << self
+        def privilege
+          :display
+        end
+
+        def category
+          :configuration
+        end
+      end
+
+      def activate!
+          can [:read, :admin], Spree::TaxCategory
+          can [:read, :admin], Spree::TaxRate
+          can [:read, :admin], Spree::Zone
+          can [:read, :admin], Spree::Country
+          can [:read, :admin], Spree::State
+          can [:read, :admin], Spree::PaymentMethod
+          can [:read, :admin], Spree::Taxonomy
+          can [:read, :admin], Spree::ShippingMethod
+          can [:read, :admin], Spree::ShippingCategory
+          can [:read, :admin], Spree::StockLocation
+          can [:read, :admin], Spree::StockMovement
+          can [:read, :admin], Spree::RefundReason
+          can [:read, :admin], Spree::ReimbursementType
+          can [:read, :admin], Spree::ReturnReason
+      end
+    end
+  end
+end

core/app/models/spree/permission_sets/configuration_management.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Spree
+  module PermissionSets
+    # Read and write permissions for e-commerce settings.
+    #
+    # Roles with this permission set will have full control over:
+    #
+    # - Tax categories
+    # - Tax rates
+    # - Zones
+    # - Countries
+    # - States
+    # - Payment methods
+    # - Taxonomies
+    # - Shipping methods
+    # - Shipping categories
+    # - Stock locations
+    # - Stock movements
+    # - Refund reasons
+    # - Reimbursement types
+    # - Return reasons
+    class ConfigurationManagement < PermissionSets::Base
+      class << self
+        def privilege
+          :management
+        end
+
+        def category
+          :configuration
+        end
+      end
+
+      def activate!
+        can :manage, Spree::TaxCategory
+        can :manage, Spree::TaxRate
+        can :manage, Spree::Zone
+        can :manage, Spree::Country
+        can :manage, Spree::State
+        can :manage, Spree::PaymentMethod
+        can :manage, Spree::Taxonomy
+        can :manage, Spree::ShippingMethod
+        can :manage, Spree::ShippingCategory
+        can :manage, Spree::StockLocation
+        can :manage, Spree::StockMovement
+        can :manage, Spree::RefundReason
+        can :manage, Spree::ReimbursementType
+        can :manage, Spree::ReturnReason
+      end
+    end
+  end
+end

core/app/models/spree/permission_sets/dashboard_display.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Spree
+  module PermissionSets
+    # Permissions for viewing the admin dashboard.
+    #
+    # Roles with this permission set will be able to view the admin dashboard,
+    # which may or not contain sensitive information depending on
+    # customizations.
+    class DashboardDisplay < PermissionSets::Base
+      class << self
+        def privilege
+          :other
+        end
+
+        def category
+          :dashboard_display
+        end
+      end
+
+      def activate!
+          Spree.deprecator.warn "The #{self.class.name} module is deprecated. " \
+            "If you still use dashboards, please copy all controllers and views from #{self.class.name} to your application."
+          can [:admin, :home], :dashboards
+      end
+    end
+  end
+end

core/app/models/spree/permission_sets/default_customer.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module Spree
+  module PermissionSets
+    # Permissions for e-commerce customers.
+    #
+    # This permission set is always added to the `:default` role, which in turn
+    # is the default role for all users without any explicit roles.
+    #
+    # Permissions include reading and updating orders when the ability's user
+    # has been assigned as the order's user, unless the order is already
+    # completed. Same is true for guest checkout orders.
+    #
+    # It grants read-only permissions for the following resources typically used
+    # during a checkout process:
+    #
+    # - Zones
+    # - Countries
+    # - States
+    # - Taxons
+    # - Taxonomies
+    # - Products
+    # - Properties
+    # - Product properties
+    # - Variants
+    # - Option types
+    # - Option values
+    # - Stock items
+    # - Stock locations
+    #
+    # Abilities with this role can also create refund authorizations for orders
+    # with the same user, as well as reading and updating the user record and
+    # their associated cards.
+    class DefaultCustomer < PermissionSets::Base
+      class << self
+        def privilege
+          :other
+        end
+
+        def category
+          :default_customer
+        end
+      end
+
+      def activate!
+        can :read, Country
+        can :read, OptionType
+        can :read, OptionValue
+        can :create, Order do |order, token|
+          # same user, or both nil
+          order.user == user ||
+          # guest checkout order
+          order.email.present? ||
+          # via API, just like with show and update
+          (order.guest_token.present? && token == order.guest_token)
+        end
+        can [:show, :update], Order, Order.where(user:) do |order, token|
+          order.user == user || (order.guest_token.present? && token == order.guest_token)
+        end
+        cannot :update, Order do |order|
+          order.completed?
+        end
+        can :create, ReturnAuthorization do |return_authorization|
+          return_authorization.order.user == user
+        end
+        can [:read, :update], CreditCard, user_id: user.id
+        can :read, Product
+        can :read, ProductProperty
+        can :read, Property
+        can :create, Spree.user_class
+        can [:show, :update, :update_email], Spree.user_class, id: user.id
+        can :read, State
+        can :read, StockItem, stock_location: { active: true }
+        can :read, StockLocation, active: true
+        can :read, Taxon
+        can :read, Taxonomy
+        can [:save_in_address_book, :remove_from_address_book], Spree.user_class, id: user.id
+        can [:read, :view_out_of_stock], Variant
+        can :read, Zone
+      end
+    end
+  end
+end

core/app/models/spree/permission_sets/order_display.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Spree
+  module PermissionSets
+    # Read permissions for orders.
+    #
+    # This permission set allows users to view all related information about
+    # orders, also from the admin panel, including:
+    #
+    # - Orders
+    # - Payments
+    # - Shipments
+    # - Adjustments
+    # - Line items
+    # - Return authorizations
+    # - Customer returns
+    # - Order cancellations
+    # - Reimbursements
+    # - Return items
+    # - Refunds
+    #
+    # However, it does not allow any modifications to be made to any of these
+    # resources.
+    class OrderDisplay < PermissionSets::Base
+      class << self
+        def privilege
+          :display
+        end
+
+        def category
+          :order
+        end
+      end
+
+      def activate!
+        can [:read, :admin, :edit, :cart], Spree::Order
+        can [:read, :admin], Spree::Payment
+        can [:read, :admin], Spree::Shipment
+        can [:read, :admin], Spree::Adjustment
+        can [:read, :admin], Spree::LineItem
+        can [:read, :admin], Spree::ReturnAuthorization
+        can [:read, :admin], Spree::CustomerReturn
+        can [:read, :admin], Spree::OrderCancellations
+        can [:read, :admin], Spree::Reimbursement
+        can [:read, :admin], Spree::ReturnItem
+        can [:read, :admin], Spree::Refund
+      end
+    end
+  end
+end

core/app/models/spree/permission_sets/order_management.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Spree
+  module PermissionSets
+    # Full permissions for order management.
+    #
+    # This permission set grants full control over all order and related resources,
+    # including:
+    #
+    # - Orders
+    # - Payments
+    # - Shipments
+    # - Adjustments
+    # - Line items
+    # - Return authorizations
+    # - Customer returns
+    # - Order cancellations
+    # - Reimbursements
+    # - Return items
+    # - Refunds
+    #
+    # It also allows reading reimbursement types, but not modifying them.
+    class OrderManagement < PermissionSets::Base
+      class << self
+        def privilege
+          :management
+        end
+
+        def category
+          :order
+        end
+      end
+
+      def activate!
+        can :read, Spree::ReimbursementType
+        can :manage, Spree::Order
+        can :manage, Spree::Payment
+        can :manage, Spree::Shipment
+        can :manage, Spree::Adjustment
+        can :manage, Spree::LineItem
+        can :manage, Spree::ReturnAuthorization
+        can :manage, Spree::CustomerReturn
+        can :manage, Spree::OrderCancellations
+        can :manage, Spree::Reimbursement
+        can :manage, Spree::ReturnItem
+        can :manage, Spree::Refund
+      end
+    end
+  end
+end