Missing privileges since shopware 6.5.4.0

[bilobait-lohrmann]

We have problem related to privileges, which came up with the latest update. We are using the latest Admin SDK version:

We had the following code:

sw.data.get(
{
   id: 'sw-category-detail__category'
})

This worked fine, but now we get the error
Uncaught (in promise) Error: Your app is missing the privileges read:sales_channel_domain, read:customer, read:newsletter_recipient, read:order, read:category_translation, read:country_state_translation, read:country_translation, read:currency_translation, read:customer_group_translation, read:locale_translation, read:media_translation, read:payment_method_translation, read:product_manufacturer_translation, read:product_translation, read:shipping_method_translation, read:unit_translation, read:property_group_translation, read:property_group_option_translation, read:sales_channel_translation, read:sales_channel_type_translation, read:salutation_translation, read:plugin_translation, read:product_stream_translation, read:state_machine_translation, read:state_machine_state_translation, read:cms_page_translation, read:cms_slot_translation, read:mail_template_translation, read:mail_header_footer_translation, read:document_type_translation, read:number_range_type_translation, read:delivery_time_translation, read:product_search_keyword, read:product_keyword_dictionary, read:mail_template_type_translation, read:promotion_translation, read:number_range_translation, read:product_review, read:seo_url, read:tax_rule_type_translation, read:product_cross_selling_translation, read:import_export_profile_translation, read:product_sorting_translation, read:product_feature_set_translation, read:app_translation, read:app_action_button_translation, read:landing_page_translation, read:app_cms_block_translation, read:app_script_condition_translation, read:app_flow_action_translation, read:tax_provider_translation, read:theme_translation, read:media, read:tag, read:media_thumbnail, read:product_manufacturer, read:product_media, read:product_download, read:order_line_item_download, read:user, read:property_group_option, read:mail_template_media, read:document_base_config, read:shipping_method, read:payment_method, read:product_configurator_setting, read:order_line_item, read:cms_block, read:cms_section, read:cms_page, read:document, read:app_payment_method, read:theme, read:landing_page, read:rule, read:main_category for action "datasetGet".

we could fix it updating our statement

sw.data.get(
{
   id: 'sw-category-detail__category',
    selectors: ['description', 'id']
})

the problem is for the following code I don’t have a solution

const systemRepository = sw.data.repository('system_config');
const systemCriteria = new sw.data.Classes.Criteria();
systemCriteria.addFilter(
   sw.data.Classes.Criteria.contains('configurationKey',
   self.appInfoName + '.config')
);

systemRepository.search(systemCriteria, ).then((data) => {
});

for the search I get a similar error, but also updates are affeccted

app.js?id=6c61f8566768b95930413a2815603454:3846 Uncaught (in promise) Error: Your app is missing the privileges read:sales_channel_domain, read:customer, read:newsletter_recipient, read:order, read:category_translation, read:country_state_translation, read:country_translation, read:currency_translation, read:customer_group_translation, read:locale_translation, read:media_translation, read:payment_method_translation, read:product_manufacturer_translation, read:product_translation, read:shipping_method_translation, read:unit_translation, read:property_group_translation, read:property_group_option_translation, read:sales_channel_translation, read:sales_channel_type_translation, read:salutation_translation, read:plugin_translation, read:product_stream_translation, read:state_machine_translation, read:state_machine_state_translation, read:cms_page_translation, read:cms_slot_translation, read:mail_template_translation, read:mail_header_footer_translation, read:document_type_translation, read:number_range_type_translation, read:delivery_time_translation, read:product_search_keyword, read:product_keyword_dictionary, read:mail_template_type_translation, read:promotion_translation, read:number_range_translation, read:product_review, read:seo_url, read:tax_rule_type_translation, read:product_cross_selling_translation, read:import_export_profile_translation, read:product_sorting_translation, read:product_feature_set_translation, read:app_translation, read:app_action_button_translation, read:landing_page_translation, read:app_cms_block_translation, read:app_script_condition_translation, read:app_flow_action_translation, read:tax_provider_translation, read:theme_translation for action "repositorySearch".

the priviliges of the app are the following

<permissions>
        <read>product</read>
        <update>product</update>
        <read>category</read>
        <update>category</update>
        <read>language</read>
        <read>locale</read>
        <read>sales_channel</read>
        <read>system_config</read>
        <update>system_config</update>
        <permission>notification:create</permission>
    </permissions>

https://shopwarecommunity.slack.com/archives/C025YFFMP6W/p1691649876593379

[jleifeld]

Hey @bilobait-lohrmann ,

I will have a look at your issue and will give your more information after testing it out

[jleifeld]

FYI: I can reproduce the error and will fix this issue. I report the status here. You can also see the current progress in the Issuetracker: https://issues.shopware.com/issues/NEXT-29862

[jleifeld]

Issue is resolved: https://issues.shopware.com/issues/NEXT-29862

[bilobait-lohrmann]

I just tested the newest release of shopware which should contain the fix with my apps. Unfortunately the error is still present. If you want i can send you the login credentials to the test system via slack

[bilobait-lohrmann]

Ok, i figured out, that i now have to add the privileges for create update and delete for my custom entites. This was not necessary yet. I updated my plugins, now everything seems to work again.

[bilobait-lohrmann]

I did some further tests. For the following code i still get a permission error

const languageRepository = sw.data.repository('language'); languageRepository.search().then((data) => { });

gives

Uncaught (in promise) Error: Your app is missing the privileges read:sales_channel_domain, read:customer, read:newsletter_recipient, read:order, read:category_translation, read:country_state_translation, read:country_translation, read:currency_translation, read:customer_group_translation, read:locale_translation, read:media_translation, read:payment_method_translation, read:product_manufacturer_translation, read:product_translation, read:shipping_method_translation, read:unit_translation, read:property_group_translation, read:property_group_option_translation, read:sales_channel_translation, read:sales_channel_type_translation, read:salutation_translation, read:plugin_translation, read:product_stream_translation, read:state_machine_translation, read:state_machine_state_translation, read:cms_page_translation, read:cms_slot_translation, read:mail_template_translation, read:mail_header_footer_translation, read:document_type_translation, read:number_range_type_translation, read:delivery_time_translation, read:product_search_keyword, read:product_keyword_dictionary, read:mail_template_type_translation, read:promotion_translation, read:number_range_translation, read:product_review, read:seo_url, read:tax_rule_type_translation, read:product_cross_selling_translation, read:import_export_profile_translation, read:product_sorting_translation, read:product_feature_set_translation, read:app_translation, read:app_action_button_translation, read:landing_page_translation, read:app_cms_block_translation, read:app_script_condition_translation, read:app_flow_action_translation, read:tax_provider_translation, read:theme_translation for action "repositorySearch".

and

const languageRepository = sw.data.repository('category'); languageRepository.search().then((data) => { });

gives

Uncaught (in promise) Error: Your app is missing the privileges read:category_translation, read:tag, read:main_category, read:seo_url for action "repositorySearch".

[bilobait-lohrmann]

@jleifeld
can you please give me a response, this is a very urgent issue for us

[seggewiss]

Sorry for taking so long I will take a look ASAP

[seggewiss]

I know this might be unpleasant for you, but the requested permissions by the SDK are valid.
Take a look at the LanguageDefinition. All the requested permissions are associations of the language entity. Therefore by reading a highly coupled entity like languages you will need a lot of permissions to do so, as you could access all the associations.

Same goes for the CategoryDefinition. Please let me know if there are any cases where you search for an entity and a permission is requested that is not related to the read entity 😊

[bilobait-lohrmann]

The problem is if I request the category repository that a lot of other plugins also can add a association to this. We therefore can't know all the associations and have to update all the time our app if a new plugin is installed on customer side. Is there a way we can say we don't want to load the associations?

[seggewiss]

Ah I see. So what you are saying is that this problem also exists for reverse associations?

[bilobait-lohrmann]

Yes for example I have currently the following error if I load the product entity

Error: Your app is missing the privileges read:swag_paypal_pos_sales_channel_run_log, read:swag_paypal_pos_sales_channel_product, read:cbax_lexicon_entry, read:solid_pv_product_embedded_video_media for action "repositorySearch".

[seggewiss]

Okay thats a real problem 😞
What do you think about the following:

We only validate for read permissions if an EntityCollection is requested in the Criteria

[bilobait-lohrmann]

i am not shure what you mean by "if an EntityCollection is requested in the Criteria"
how would this look like?

[seggewiss]

Currently you request like this:
const languageRepository = sw.data.repository('category'); languageRepository.search().then((data) => { });

This will not give you errors for associations then. However if you request like this:

const criteria = new Criteria(); criteria.addAssociation('associationWithoutReadPermissions'); const languageRepository = sw.data.repository('category'); languageRepository.search(criteria).then((data) => { });

Will result in an error again as an association is requested that the app is missing read privileges for.

[bilobait-lohrmann]

yes. exactly for that i was looking

[seggewiss]

I've created an issue and will start the work ASAP! Please take a look at the progress here:

https://issues.shopware.com/issues/NEXT-30849

[bilobait-lohrmann]

thank you

[hungmac-sw]

This issue also appear from getting the element configs by the code below

import { data } from '@shopware-ag/admin-extension-sdk';
....
await data.get({ id: 'MY_CMS_ELEMENT__config-element' });

Error message:

missing-priviliges-error-serializer.js:10 Uncaught (in promise) Error: Your app is missing the privileges read:cms_slot_translation, read:language, read:sales_channel, read:sales_channel_domain, read:customer, read:newsletter_recipient, read:order, read:category_translation, read:country_state_translation, read:country_translation, read:currency_translation, read:customer_group_translation, read:locale_translation, read:media_translation, read:payment_method_translation, read:product_manufacturer_translation, read:product_translation, read:shipping_method_translation, read:unit_translation, read:property_group_translation, read:property_group_option_translation, read:sales_channel_translation, read:sales_channel_type_translation, read:salutation_translation, read:plugin_translation, read:product_stream_translation, read:state_machine_translation, read:state_machine_state_translation, read:cms_page_translation, read:mail_template_translation, read:mail_header_footer_translation, read:document_type_translation, read:number_range_type_translation, read:delivery_time_translation, read:product_search_keyword, read:product_keyword_dictionary, read:mail_template_type_translation, read:promotion_translation, read:number_range_translation, read:product_review, read:seo_url, read:tax_rule_type_translation, read:product_cross_selling_translation, read:import_export_profile_translation, read:product_sorting_translation, read:product_feature_set_translation, read:app_translation, read:app_action_button_translation, read:landing_page_translation, read:app_cms_block_translation, read:app_script_condition_translation, read:app_flow_action_translation, read:tax_provider_translation, read:theme_translation for action "datasetGet".
    at Object.deserialize (missing-priviliges-error-serializer.js:10:1)
    at index.js:56:1
    at baseClone (_baseClone.js:97:1)
    at _baseClone.js:161:1
    at arrayEach (_arrayEach.js:15:1)
    at baseClone (_baseClone.js:155:1)
    at cloneDeepWith (cloneDeepWith.js:37:1)
    at deserialize (index.js:53:29)
    at callbackHandler (channel.js:140:1)

[seggewiss]

This issue also appear from getting the element configs by the code below

import { data } from '@shopware-ag/admin-extension-sdk';
....
await data.get({ id: 'MY_CMS_ELEMENT__config-element' });

Error message:

missing-priviliges-error-serializer.js:10 Uncaught (in promise) Error: Your app is missing the privileges read:cms_slot_translation, read:language, read:sales_channel, read:sales_channel_domain, read:customer, read:newsletter_recipient, read:order, read:category_translation, read:country_state_translation, read:country_translation, read:currency_translation, read:customer_group_translation, read:locale_translation, read:media_translation, read:payment_method_translation, read:product_manufacturer_translation, read:product_translation, read:shipping_method_translation, read:unit_translation, read:property_group_translation, read:property_group_option_translation, read:sales_channel_translation, read:sales_channel_type_translation, read:salutation_translation, read:plugin_translation, read:product_stream_translation, read:state_machine_translation, read:state_machine_state_translation, read:cms_page_translation, read:mail_template_translation, read:mail_header_footer_translation, read:document_type_translation, read:number_range_type_translation, read:delivery_time_translation, read:product_search_keyword, read:product_keyword_dictionary, read:mail_template_type_translation, read:promotion_translation, read:number_range_translation, read:product_review, read:seo_url, read:tax_rule_type_translation, read:product_cross_selling_translation, read:import_export_profile_translation, read:product_sorting_translation, read:product_feature_set_translation, read:app_translation, read:app_action_button_translation, read:landing_page_translation, read:app_cms_block_translation, read:app_script_condition_translation, read:app_flow_action_translation, read:tax_provider_translation, read:theme_translation for action "datasetGet".
    at Object.deserialize (missing-priviliges-error-serializer.js:10:1)
    at index.js:56:1
    at baseClone (_baseClone.js:97:1)
    at _baseClone.js:161:1
    at arrayEach (_arrayEach.js:15:1)
    at baseClone (_baseClone.js:155:1)
    at cloneDeepWith (cloneDeepWith.js:37:1)
    at deserialize (index.js:53:29)
    at callbackHandler (channel.js:140:1)

For Data sets we can't resolve this issue. We need to ensure that an app only gets the data from the shop it has rights for.
For example a shop classifies their customers and carefully checks that no apps have permissions to read customers.
Now you request a dataset containing a customer. For data.get & data.subscribe you will always need either the complete permissions or you boil down the data you get with selectors:

https://shopware.github.io/admin-extension-sdk/docs/guide/api-reference/data/get

[hungmac-sw]

Hi @seggewiss, thank you for your answer. It works for me.

[seggewiss]

Hi @bilobait-lohrmann,

The issue is resolved and is already live in our cloud environment. For selfhosted it will be contained in the next patch release. You need to update your app to SDK version 3.0.15. For testing purposes you could use the trunk branch of Shopware.

[bilobait-lohrmann]

Hello @seggewiss

i had today the chance to test in the current cloud env from shopware with the current sdk active. Unfortunately I still get the error:
app.js?id=eae874019f8b9c5767393c481a2198f9:2 Uncaught (in promise) Error: Your app is missing the privileges read:quote for action "repositorySearch".

if i call

const languageRepository = sw.data.repository('language'); languageRepository.search().then((data) => { });

[bilobait-lohrmann]

@seggewiss

i did some further testing. on the client cloud i get the following error for the following call
const productRepository = sw.data.repository('product'); productRepository.search().then((data) => { });

Error: Cannot read properties of undefined (reading 'forEach')

The function where this error is thrown is
function deserialize(messageData, event) { return cloneDeepWith(messageData, (value, key, object, stack) => { // return first matching serializer result for (const serializer of serializers) { const result = serializer.deserialize({ value, key, object, stack, event, customizerMethod: deserialize, }); if (result) { return result; } ; } }); }

In a clean cloud installation i don't get this error

[seggewiss]

We have automated tests in place that assure the bug fix works. We will need more information to reproduce this issue

1. Which privileges does your app have? (Can you maybe provide us with a minimal reproduction repo?)
2. What do you mean by "In a clean cloud installation I don't get this error"

[bilobait-lohrmann]

1. The App has the privileges read for 'language' and 'product', its very simple
2. With clean install i mean a cloud instance created in the shopware account (can be down in the plugin area). I have a customer which aready has some plugins installed and then the error with the product repo occurs. The problem with the language repo i have on every instance

if it is easier we can meet on slack and i can show it to you directly

[seggewiss]

Maybe a dumb question but are you passing in a criteria?
https://shopware.github.io/admin-extension-sdk/docs/guide/api-reference/data/repository#search

Cause we are still unable to reproduce this

[jleifeld]

2. With clean install i mean a cloud instance created in the shopware account (can be down in the plugin area). I have a customer which aready has some plugins installed and then the error with the product repo occurs. The problem with the language repo i have on every instance

Just for my understanding: Do you have plugins installed in your local instance or do you mean a cloud instance with installed apps?

[bilobait-lohrmann]

I just made a cloud instance with the newest version. Now everything works fine. Thanks for the help. If something new comes up i will open a new issue

[wannevancamp]

I have the same issue now. I want to receive the media from a product using the @shopware-ag/meteor-admin-sdk.

data.get({
  id: 'sw-product-detail__product',
  selectors: ['media']
});

The following error is thrown: Error: Your app is missing the privileges read:product_media for action "datasetGet".
Adding the permission <read>product_media</read> to the manifest will solve this issue. But now an error is thrown which asks to add all the available permissions to the manifest. Any thoughts?

• Shopware: 6.5.8.2
• @shopware-ag/meteor-admin-sdk: 4.0.0

[seggewiss]

I will check this again today 👍

[jleifeld]

I could reproduce the error. We will have a look at it!