I have a couple scripts that look at the customer's tags to do a some things (exposing wholesale shipping rates and a Net Terms payment option, for example). If I shop, and go through checkout having never logged in, but use my email address attached to my account in checkout, the scripts will somehow recognize me as a customer (which has the wholesale and terms tags I'm looking for in the script), and run accordingly - showing me wholesale shipping rates and the Net Terms payment option. I looked in the docs to see if there was a way to check the logged in state, but didn't see anything. This seems like a huge security flaw, however unlikely it may be that someone gets a hold of another customer's email address to exploit. Is there a way around this? Can this be fixed?
I have noticed a similar thing; we have a script to check order history and accepts_marketing value (in order to discount a subscribed customer's first order). The script applies if we have their email address, even if they have not activated and / or logged into their account.
I got a response back from Shopify on this:
I heard back from both the front end devs and the team working on Shopify Scripts and there is actually no workaround for this one. There’s no way with the current setup to have a script that would expose customer-specific things to customers who are actually logged in. The way this has been implemented, the system can't know if the customer is logged in or not when they enter their email address at checkout. The only workaround would be to have customer accounts mandatory for checkout.
And apparently it's on their roadmap to be addressed, but it's not a priority, so no timeline could be given.