Re: Issue with Accessing Order Object in Shopify App Despite Correct Scopes

Solved

Issue with Accessing Order Object in Shopify App Despite Correct Scopes

Oldfire
Shopify Partner
21 2 1

Hello Shopify Community,

I'm developing a Shopify app and have encountered an issue when attempting to access order information via GraphQL. Despite having the necessary permissions set for my app, I'm receiving the following error when executing my query:

GraphqlQueryError: This app is not approved to access the Order object. See https://partners.shopify.com/[redacted]/apps/[redacted]/customer_data for more details.


Permissions Granted
:

  • Edit orders
  • All order details for the last 60 days
  • View and Sync Discounts

The order I'm trying to access is only 20 days old, so it falls within the permitted range. Below is the GraphQL query I'm using:

 

query getOrder($id: ID!) {
  order(id: $id) {
    id,
    currencyCode,
    presentmentCurrencyCode,
    totalTaxSet {
      presentmentMoney {
        amount,
        currencyCode
      }
    },
    totalPriceSet {
      presentmentMoney {
        amount,
        currencyCode
      }
    },
    name,
    netPaymentSet {
      presentmentMoney {
        amount,
        currencyCode
      }
    },
    requiresShipping,
    restockable,
    shippingLine {
      discountedPriceSet {
        presentmentMoney {
          amount,
          currencyCode
        }
      }
    },
    metafields(first: 1, namespace: "$app:redacted-name") {
      nodes {
        namespace,
        id,
        value,
        key
      }
    }
  }
}

 

 

I'm concerned that part of my query might be accessing data considered sensitive by Shopify, but I'm not sure which part could be causing the issue. The query includes many fields, but none of these seem to directly access sensitive customer data.

 

The app also has the following permission details with respect to the store context it is installed in:

Oldfire_0-1708292761506.png


Also, I have tested this scope with a local tunneled app and did not have this issue. The scopes env vars are also correctly passed to the environment: 

Oldfire_1-1708292989188.png

(I attempted to check if products scope was missing, but that did not solve the issue.)

Additional context:
Remix app, a loader at a route URL serving fetch for a block extension

const { admin, cors } = await authenticate.admin(request);

Request is done with admin.graphql and works wonderfully in a local environment with identical permissions.

Questions:

  1. Is there any part of my query that's known to require additional permissions or is considered sensitive?
  2. Has anyone experienced a similar issue and found a workaround or solution?
  3. Are there best practices or documentation that I might have overlooked regarding accessing order information with GraphQL in Shopify?

Any guidance, suggestions, or references to documentation would be greatly appreciated. Thank you in advance for your help!

Accepted Solution (1)

Oldfire
Shopify Partner
21 2 1

This is an accepted solution.

If anyone comes here to look for a solution, then I can say I didn't find the most ideal solution here, but I found a fix that works for now.

Because this error only happened when I made a request from an UI Extension to the Remix backend, I simply stopped making these requests.

View solution in original post

Replies 4 (4)

Oldfire
Shopify Partner
21 2 1

Is this perhaps because of the metafield that relates to the single order? https://shopify.dev/docs/apps/store/data-protection/protected-customer-data

BrainStation23
Shopify Partner
406 60 58

Find the shopify.app.toml file in code and update the scopes = "write_products, read_themes, read_orders, write_orders"

May be this will solve your issue.

 

Brain Station 23 PLC
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution

Brain Station 23 PLC (Mail: js.sbu@brainstation-23.com)
- Was your question answered? Mark it as an Accepted Solution
- Did the solution not address your concern? We kindly request that share or mail your store URL with us this will enable us to collaborate more closely.
- Explore our Shopify public apps
Oldfire
Shopify Partner
21 2 1

What would be the idea behind the read_themes scope?

Oldfire
Shopify Partner
21 2 1

This is an accepted solution.

If anyone comes here to look for a solution, then I can say I didn't find the most ideal solution here, but I found a fix that works for now.

Because this error only happened when I made a request from an UI Extension to the Remix backend, I simply stopped making these requests.