Taxon management unauthorized even with ProductManagement permission set.

[mathportillo]

How to reproduce:

• Create role with ProductDisplay and ProductManagement permissions
• Add role to user
• Login on admin with user
• Try to create or update (or reorder) taxon

The result is "Unauthorized" when it should be authorized normally.

Details:

• On Admin, when a user with ProductManagement permission set try to create or update a taxon, it fails.
• Looks like this part of admin uses solidus api for queries using ajax. Maybe there is something wrong with api handling of permissions
• It works fine with users with 'admin' role.
• I am using Solidus 2.3.1

here is the logs:

Started PUT "/api/taxonomies/1/taxons/8" for 130.211.3.31 at 2018-06-25 12:43:29 +0000
Processing by Spree::Api::TaxonsController#update as JSON
  Parameters: {"taxon"=>{"parent_id"=>"1", "child_index"=>"7"}, "taxonomy_id"=>"1", "id"=>"8"}
  Spree::User Load (1.0ms)  SELECT  "spree_users".* FROM "spree_users" WHERE "spree_users"."deleted_at" IS NULL AND "spree_users"."spree_api_key" = $1 LIMIT $2  [["spree_api_key", ""], ["LIMIT", 1]]
  Spree::Taxonomy Load (0.9ms)  SELECT  "spree_taxonomies".* FROM "spree_taxonomies" WHERE "spree_taxonomies"."id" = $1 ORDER BY "spree_taxonomies"."position" ASC LIMIT $2  [["id", 1], ["LIMIT", 1]]
  Spree::Taxon Load (0.9ms)  SELECT  "spree_taxons".* FROM "spree_taxons" WHERE "spree_taxons"."taxonomy_id" = $1 AND "spree_taxons"."id" = $2 LIMIT $3  [["taxonomy_id", 1], ["id", 8], ["LIMIT", 1]]
  Rendering /opt/gem/ruby/2.3.0/gems/solidus_api-2.3.1/app/views/spree/api/errors/unauthorized.v1.rabl
  Rendered /opt/gem/ruby/2.3.0/gems/solidus_api-2.3.1/app/views/spree/api/errors/unauthorized.v1.rabl (0.8ms)
Completed 401 Unauthorized in 17ms (Views: 2.0ms | ActiveRecord: 2.8ms)