Our Partner & Developer boards on the community are moving to a brand new home: the .dev community forums! While you can still access past discussions here, for all your future app and storefront building questions, head over to the new forums.

Collaborator "Edit code" access - How to prevent malicious code insertion?

Collaborator "Edit code" access - How to prevent malicious code insertion?

Grovy
Tourist
9 1 2

Hi! I am new to shopify, but I have several years experience with web developing. 

I recently installed a third-party app called Discount Depot, and they requested for collaborator access to help fix an issue in my store. I gave them the permissions I felt confident delegating, but the permission "Online Store -> Themes -> Edit code" raises me a concern. 

How can I be sure the collaborator won't insert malicious code somewhere in my code? Is there any way to track what changes the collaborator has done in the code? If not, and some malicious code is inserted, how am I supposed to locate this code? 

Would appreciate some guidance here, in terms of best practices of security. Thanks!

Replies 4 (4)

tobebuilds
Shopify Partner
469 34 125

If you don't feel comfortable granting that access, then don't.

But if you don't grant the access, then it's your responsibility to make the changes to your theme to make the app work. Ask them which code changes need to be made, and then either code it yourself, or hire a developer to do it for you.

Founder, Regios Discounts app (4.8 stars, 64 reviews, Built for Shopify)
- Custom discounts made simple
- "Just about any discount you'll ever need"
- Built by an ex-Google software engineer
Grovy
Tourist
9 1 2

Is there no way to see what changes the collaborator have executed while editing my code?

tobebuilds
Shopify Partner
469 34 125

Sure you can, but it's not built into Shopify:

 

1. Make a backup of your theme.

2. Commit all files to a new Git repository.

3. After the third-party has edited your code, download all files into the repository again.

4. Run `git diff` in your terminal, so that you can see exactly which lines were changed.

 

As you can imagine, this approach requires some knowledge of the command line, as well as an understanding of coding, so that you can understand what changes they have made.

 

If you have any further questions about this, reply and let me know.

Founder, Regios Discounts app (4.8 stars, 64 reviews, Built for Shopify)
- Custom discounts made simple
- "Just about any discount you'll ever need"
- Built by an ex-Google software engineer
Grovy
Tourist
9 1 2

That's just genius, thank you so much! I have knowledge of this, so this is absolutely doable for me 🙂