Search code examples
shopware6shopware6-app

Shopware 6.5.7.1 Admin Extension SDK requires more unrelated permissions to CMS element


I’m encountering an issue while building a CMS element using the Admin SDK in Shopware 6.5.7.1. During testing, console errors surfaced when opening the CMS element configuration modal (screenshot attached). These errors indicate missing permissions for the app. However, resolving them requires granting a number of permissions, even those seemingly unrelated to the app’s CMS element.

This extensive permission list raises concerns for our customers. Could you please advise on:

  • Specific permissions sincerely required for the app’s intended functionality?
  • Potential causes for the additional permissions being seemingly necessary?
  • Options to minimize permissions without affecting functionality?
  • Any relevant changes in permission handling between Shopware 6.5.5.2 and 6.5.7.1 that could explain this behavior?

I’m looking for a solution that protect both functionality and customer confidence.

enter image description here

enter image description here

enter image description here


Solution

  • As stated here Unexpected permission behavior with Shopware v6.5.4.0 and Admin SDK, you have to adjust your permissions accordingly. Somewhere in your code you are fetching data that has associations to other entities and thus resulting in the missing permission error. There are two options:

    1. Either your fetching associations via the repository service and you are not using the includes parameter in your search criteria in order to narrow down your payload.
    2. Or you are using data.get in order to receive datasets from the Shopware administration without any selectors and thus receiving additional unpermitted data in your payload.

    I am assuming the latter, since Shopware is complaining about the "datasetGet" action in your error.

    Shopware added this behavior in some previous version. I think it was v6.5.4. Because you were able to work with data you didn't even have permissions for. With adding includes / selectors you are not affecting your backwards compatibility, since you are just narrowing down the data to the data, that you are actually using.