I'm building a simple web store with a Product model and an Order model. Non-authenticated users (i.e. guests) make orders but cannot update them (no login system with this store).
I keep a 'quantity' attribute in my Product model to keep track of how many of that item are left to sell. The problem is, I don't want the guest role to have permission to update products (they could change prices, names, etc. if so!) but I need to decrease the quantity and save an updated Product model in an action caused by the guest role.
without_access_control seems to be for testing. What's the best way to go about this issue?