docs(core): Add docs on Permission.Owner and sessions

Relates to #1788

packages/core/src/api/config/generate-permissions.ts

@@ -11,7 +11,7 @@ GraphQL resolvers via the {@link Allow} decorator.
 
 ## Understanding Permission.Owner
 
-\`Permission.Owner\` is a special permission which is used in some of the Vendure resolvers to indicate that that resolver should only
+\`Permission.Owner\` is a special permission which is used in some Vendure resolvers to indicate that that resolver should only
 be accessible to the "owner" of that resource.
 
 For example, the Shop API \`activeCustomer\` query resolver should only return the Customer object for the "owner" of that Customer, i.e.

packages/core/src/api/decorators/allow.decorator.ts

@@ -12,6 +12,17 @@ export const PERMISSIONS_METADATA_KEY = '__permissions__';
  *
  * For REST controllers, it can be applied to route handlers.
  *
+ * ## Allow and Sessions
+ * The `@Allow()` decorator is closely linked to the way Vendure manages sessions. For any operation or route that is decorated
+ * with `@Allow()`, there must be an authenticated session in progress, which would have been created during a prior authentication
+ * step.
+ *
+ * The exception to this is when the operation is decorated with `@Allow(Permission.Owner)`. This is a special permission which is designed
+ * to give access to certain resources to potentially un-authenticated users. For this reason, any operation decorated with this permission
+ * will always have an anonymous session created if no session is currently in progress.
+ *
+ * For more information see [Understanding Permission.Owner](/docs/typescript-api/common/permission/#understanding-permissionowner).
+ *
  * @example
  * ```TypeScript
  *  \@Allow(Permission.SuperAdmin)