Focuses on API authentication, access scopes, and permission management.
We have a B2B store meant for our existing retailers.
The store offers discount pricing our resellers, but each potential customer must be approved and under contract before they can make a purchase.
The Shopify B2B / 'New Customer accounts' login experiences asks them to enter an email address, to which a 6 digit code is sent and they must enter that code to 'log in' to the store.
The issue is that even if that email address does not have an existing customer account, Shopify will send the code and allow them to log in with it. It even *creates* a new customer account in the store for them. And that account, since it never went through a 'create account' form or process, has no information other than email address.
We need the login process to *verify* that they are a customer, not let them in regardless.
Is this a configuration issue that we are missing? How do we require a customer account to exist before it can be logged into?
Hey @emalueg!
If you are using the new customer accounts system, anyone can submit their email address to login to an account. However there are a couple of methods in which you can protect your site:
If you are on Shopify Plus and using the native B2B features, you can enable Shopify's setting for "Restrict access to B2B customers only" which can be found in your Shopify admin > Online store > Preferences. With this setting, you will need to manually assign a customer account to a company record before they are able to actually log in and access the site at all.
If you are not using Shopify Plus' native B2B features or want something a bit different, one possibility would be to use some apps such as Locksmith and Customer Fields. Locksmith is an access control app which allows you to restrict access to the entire site, or things like certain pages or seeing prices, and you can do this based on the customer account having a specific tag. The advantage of this method is that with the Customer Fields app, you can have potential customers submit their own information using a form on your site, and then gives you the option to approve/deny the request and automatically add the tag to their account, giving them access to the site. Using a tag based lock means that even if a user was to log in directly through the new customer accounts system, they would not actually gain access until they get approved through the form.
Thanks for the reply!
We certainly can add code that restricts customers based on a tag or other criteria, but my main concern is *these shouldn't be customers*.
We shouldn't have to add extra code or apps to restrict access, when the simple concept of 'login' should. But instead of authenticating a customer, its creating new customers.
Is there no way to simply turn off the automatic creating of customers? To separate 'login' from 'registration'?
While I personally agree, from what I understand of the way the new customer accounts system works, this is not currently possible natively. The closest native option for this would be the Shopify Plus setting for "Restrict access to B2B customers only".
Ok, thanks for the information.
Not the route I'd prefer, but i at least know my options.
I have a similar wholesale setup as you where we need to approve customers. I don't think there is any Shopify feature that does what you want but the way we solved it was by adding a tag to each customer that was approved and then a small amount of coding in the theme that checks a) is the customer logged in and b) do they have the tag. If they don't have the tag then redirect them to a page that explains they need to be authorised. You need to include this code in the template in such a way that it applies to all pages / collections so that if anyone tries to visit any page it will check that they are authorised. Works well for us.
I have a simple store website and need to protect access to wholesale product collection. This sounds like a possible solution for me as well. Was it hard to implement and could it be customizable to a specific collection.
The way we handled it is like this:
1) Apply a tag to the customers that you want to grant access, that way if a random customer registers themselves they won't have the tag until you explicitly add it.
2) Add some Liquid code to check the customer's tags and redirect if they don't have the access tag. In our case we created a Snippet called redirects.liquid and then included that it the main template so that all pages are restricted but you could selectively include it only in certain pages / collections.
Hi Tim, this sounds good to me. Can you share the code you used?