Open fairknowe opened 1 month ago
Hi @fairknowe, thank you for opening this issue. This looks like an inconsistency coming from the API. I'll put it in our backlog so that we can take a look.
Having this issue addressed would allow certain features in an app to be hidden if the user doesn't have the necessary permissions. Do you have an update on progress toward a fix?
Issue summary
Before opening this issue, I have:
shopify_app
version: 22.2.1log_level: :debug
in my configuration, if applicableThe demonstration app used for this issue report is based on the Ruby Shopify App Template, where sample products can be created with the click of a button.
The requested App installation scope is
write_products
:Two users are considered, the Store (Account) owner, and a Staff person who has only 'View' permissions on Products.
Expected behavior
Since the Store owner has full permissions on Products, the User session repository scope should be 'write_products`. However, the Staff person with limited 'View' permissions should only have 'read_products' in their session repository scope.
Actual behavior
Querying the User session repository scopes for the Store owner returns 'write_products', as expected. Querying the User session repository scopes for the Staff person also returns 'write_products', which is not expected.
The Store owner is able to generate Products through the App without error. However, the Staff person cannot, indicating the user's 'View' permissions are enforced on Shopify's backend.
The scene shots of the browser logs, below, illustrate the outcomes.
Store owner:
Staff person:
Steps to reproduce the problem
I can provide the demo app code if necessary.
Debug logs