Unexpected permission behavior with Shopware v6.5.4.0 and Admin SDK

Question

So for my app based on the Shopware 6 app system everything worked fine for v6.5.3.3 However, by updating Shopware to v6.5.4.0, I am suddenly getting a bunch of permission errors, even though my app doesn't need them, since it is not using them.

I don't even have permissions to access my own entities which I created in my entities.xml:

This explicitly happens when the repository service of the Admin SDK is used. I did not change anything inside my app, so I guess something in the Shopware core changed. I also took a look at the changelog, however, I couldn't find any change which could cause this issue.

Unfortunately, I don't have any clue where to debug, so for once I added all of these permissions. Next up, it is telling me to also add create and delete permissions:

So, this is a major stopper for my crud app.

Basically, my app uses custom entites, which reads and writes data via the Admin SDK. Nothing special, therefor I did not attach any code. I am glad for any help. Maybe I am missing something from the changelog. Otherwise I will create an issue.

I am using the latest Admin SDK Version 3.0.14

---

EDIT:

So now I am trying to add the includes to my code in order to reduce the payload. First of all my manifest.xml:

<permissions>
    <read>language</read>
</permissions>

Next up, the code in my app:

async loadLanguages(): Promise<void> {
    this.loading = true;

    try {
        const criteria = new data.Classes.Criteria();
        criteria.addIncludes({
            language: ['id']
        });
        const languages = await this.languageRepository.search(criteria);
        // Not logged
        console.log(languages);
    } catch (err: unknown) {
        if (err instanceof Error) {
            notification.dispatch({
                title: this.$tc('global.default.error'),
                message: err.message,
                variant: 'error'
            });
        }
    }

    this.loading = false;
}

in my understanding this should result in a response with all languages containing just the "id" field without the need of any further permissions. However, this results in the same permission error as before. Surprisingly I am getting a 200 status code response in the network tab like this:

{
  "data": [
    {
      "id": "0189e919e85e70a783c1305f521820d9",
      "type": "language",
      "attributes": {
        "apiAlias": "language_foreign_keys_extension"
      },
      "links": {
        "self": "http://localhost:8888/api/language/0189e919e85e70a783c1305f521820d9"
      },
      "relationships": [],
      "meta": null
    },
    {
      "id": "2fbb5fe2e29a4d70aa5854ce7ce3e20b",
      "type": "language",
      "attributes": {
        "apiAlias": "language_foreign_keys_extension"
      },
      "links": {
        "self": "http://localhost:8888/api/language/2fbb5fe2e29a4d70aa5854ce7ce3e20b"
      },
      "relationships": [],
      "meta": null
    }
  ],
  "included": [],
  "links": {
    "self": "http://localhost:8888/api/search/language"
  },
  "meta": {
    "totalCountMode": 1,
    "total": 2
  },
  "aggregations": []
}

Nevertheless, my catch block intercepts it with the permission error. What am I still doing wrong?

Answer 1

This is an issue affecting Shopware platform...

https://github.com/shopware/platform/commit/4203eaa3adc6c69ae3932e1c106fa6914011877b

...and will most likely be fixed with the upcoming minor release v6.5.4.2

Answer 2

The permission behavior was wrong prior v6.5.4. This was fixed with this version. When you are now loading a entity where the app has no permissions for then it will throw this error.

To minimize the needed permissions you could reduce the payload by using includes in the Criteria. And for the data you get via https://shopware.github.io/admin-extension-sdk/docs/guide/api-reference/data/subscribe you can use the selectors to reduce it only to your needed permissions.