Custom Fields Permission in Admin UI affect the shop-api

[margamorais]

Describe the bug Since Vendure 2.2.0 it's possible to add permissions to custom fields, however these permissions also affect what the Customer can see in the storefront, as it affects the shop-api. By adding requiresPermission to a customField, if the Customer role doesn't have this permission, the field won't be visible in the storefront.

To Reproduce Steps to reproduce the behavior:

1. Create a custom field for the entity Product
2. Add requiresPermissions field to the custom field with any permission that is not available in the Customer role
3. Go to the shop-api and fetch a product, and place the custom field on the query
4. The custom field will be null (make sure that it isn't null on the DB)

Expected behavior Given that the custom field type already has a public setting, which tells if the field is visible in the shop api or not, the requires permissions setting should not be affecting this. Either, there is a Permission.Customer, similar to the Permission.SuperAdmin which allows us to add that permission to the field and makes it visible in the shop-api, even though it has other permissions required, or the requiresPermissions setting should not affect the visibility of the field on the shop-api, it should only affect the field on the admin-api/admin-ui.

Environment (please complete the following information):

• @vendure/core version: 2.2.2
• Nodejs version: 22.1.0
• Database (mysql/postgres etc): Postgres

[michaelbromley]

This is a great point! I think the best course is the suggestion of making the existing pubic: true property determine visibility in the Shop API. I think that is the most simple and expected behaviour, and does not require us to introduce a new permission to cover just this case.

[margamorais]

Thank you!