graphiQL scope issue

Amichay
Excursionist
23 0 1

Running orders query, and get FAILED - ACCESS_DENIED

Confirmed that the problem is with the customer node (without it the query succeed).

The private app have the read_customers scope, So I have no idea why I get "ACCESS_DENIED".

 

Please investigate.

 

 

shop: 'lumae-skin-eu'

example: gid://shopify/BulkOperation/20987904080

mutation {
      bulkOperationRunQuery(
       query: """
       {
     orders(query:"created_at:>'2020-05-04T14:00:00Z' created_at:<'2020-06-09T14:00:00Z'")
      {
        edges
        {
          node
          {
            id
            createdAt
            customer
            {
              id
              lastName
              firstName
              email
            }
            totalPriceSet
            {
              shopMoney
              {
                amount
              }
            }

          }
        }
      }
       }
       """
       ) 
   }
app scopes:
{
"access_scopes": [
  {
"handle": "read_orders"
},
  {
"handle": "read_products"
},
  {
"handle": "read_product_listings"
},
  {
"handle": "write_customers"
},
  {
"handle": "write_checkouts"
},
  {
"handle": "read_content"
},
  {
"handle": "read_all_orders"
},
  {
"handle": "read_customers"
},
  {
"handle": "read_checkouts"
}
],
}
0 Likes
_JB
Shopify Staff
Shopify Staff
750 87 165

Hey @Amichay,

Have you changed the app's scopes since making your post? I just checked the app and it doesn't have the read or write customers scope.

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes
Amichay
Excursionist
23 0 1

Hi @_JB ,

 

Interesting.

I had some tests,

and I found that even though that the app permissions in the UI are not set the "Customers Read access",

the admin/oauth/access_scopes.json endpoint do retrieve it as an app access_scope.

 

This is a big problem for us, because we are a third-party that use clients private apps,

and we check if the client did define his app properly by query the app scopes and comparing them to the scopes that we actually need.

This behavior of the endpoint is preventing us to make the app verification.

 

Please investigate.

0 Likes
Amichay
Excursionist
23 0 1

@_JB Jumping

0 Likes
Amichay
Excursionist
23 0 1

@_JB Jumping.

The endpoint retrieve the Customers scope in all cases, even in case that it is in "No access" status

0 Likes
_JB
Shopify Staff
Shopify Staff
750 87 165

Hi @Amichay,

The accessScope endpoint is only meant to be used by apps that authenticate using Oauth. If you're using a private app, you can verify those scopes from the private app screen in the admin.

If you typically build one-off apps for merchants, you should use custom apps instead. Custom apps don't require review, and can be installed on a single Shopify store using Oauth so you aren't required to ask the merchant to generate API credentials.

JB | Developer Support @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit Shopify.dev or the Shopify Web Design and Development Blog

0 Likes