Shopify Permissions Vulnerability

Leffrey · ‎07-30-2024

I started to use Inbox recently and wanted to roll it out to some of our customer service reps. In order for customer service reps to be able to perform their jobs well, they need "view" permissions for Orders, Customers and Products. For most companies, customer service reps don't need a higher permission than "View Only" for products and once you give the user View Only permission for products, Shopify inadvertently gives Delete permissions for Content Files to that same user.

This a bug. Nobody would willingly give every customer service rep that permission, unless it was a higher level employee which would get those permissions anyway. Beware when giving permissions. Not all of them seem as they are. It is not just with Shopify. Almost all systems have some flaws and it is good when giving permissions to log in as that employee and poke around before making it live.

I hope that this one will get to the right people at Sho and addressed.

Drazdauskas · ‎09-10-2024

Have you managed to get around this at all? Or heard back from Shopify?

I can't believe Shopify have not spotted this obvious error.

Shopify Permissions Vulnerability

Shopify Permissions Vulnerability

Community Blog Articles