Attributes, attributes categories & products should be writable only by administrators, EG users with specific authorizations.
Cart & cart item should be bound to the connected user: a user can only retrieve its own items, & insert items linked with himself. The only exception is the administrator, that can read & write for every user.
Payment related entities should be read-write only for admins.
Attributes, attributes categories & products should be writable only by administrators, EG users with specific authorizations.
Cart & cart item should be bound to the connected user: a user can only retrieve its own items, & insert items linked with himself. The only exception is the administrator, that can read & write for every user.
Payment related entities should be read-write only for admins.