Custom Fields with permissions not showing in the storefront
Opened this issue · 4 comments
**RELATED TO ISSUE #2878 **
Describe the bug
The bug described in issue #2878 was fixed in version v2.2.6, whilst the fix did work as the custom fields with permissions are now also visible in the shop-api, we noticed later on that the error persists, not in the shop api, but in the storefront, or even if we call the shop-api endpoints through postman, the custom fields that have permissions associated to them have a null value.
We created a new custom permission:
import { CrudPermissionDefinition } from '@vendure/core';
export const productSpecialFields = new CrudPermissionDefinition('ProductSpecialFields');
We are giving this permission to a special role, and when defining the customFields, the config has:
requiresPermission: ['ReadProductSpecialFields']
To Reproduce
Steps to reproduce the behavior:
- Create a customField for the Product entity
- Create a custom permission for reading the custom field
- Add the permission in the requiresPermission field for the customField config
- Add a value to the custom field in some product
- Go to the shop api sandbox and query the product --> the custom field will have a value
- Call the same query through postman or a storefront in next js --> you will see the custom field with a null value
Expected behavior
The query done via the sandbox and the query done through postman (or the storefront) should have the same result.
Environment (please complete the following information):
- @vendure/core version: 2.2.6
- Nodejs version: 22.1.0
- Database (mysql/postgres etc): 15.7
Hi,
Are you able to inspect the requests (headers, body) from the working API sandbox, and the failing postman requests, and find the differences?
If there is a difference in the response, there must be a difference in the request. Perhaps some header missing, or something else like that.
Hi Michael, I'm working with @margamorais on this.
It turns out the sandbox request was authenticated (session cookie).
This means that, with an unauthenticated request (even a sandbox request), which is our use case when calling the shop API in the storefront, we can not retrieve fields with the custom permission.
Here's how we declared permissions for custom fields:
constants.ts
import { CrudPermissionDefinition } from '@vendure/core';
export const productSpecialFields = new CrudPermissionDefinition('ProductSpecialFields');
test.plugin.ts
{
name: 'test',
label: [{ languageCode: LanguageCode.en, value: 'TEST' }],
type: 'float',
requiresPermission: [productSpecialFields.Read],
},
In the admin ui we get the wanted result (only users with productSpecialFields.Read permission see this field), however we did not want this to impact the shop API
This means that, with an unauthenticated request (even a sandbox request), which is our use case when calling the shop API in the storefront, we can not retrieve fields with the custom permission.
This is expected behaviour: if the user is not authenticated, we have no way of knowing whether they have the required permission.
If you want the custom field data to be accessible in the Shop API even for unauthenticated users, set public: true on the custom field definition.
Of course! That makes sense!
Thank you, everything seems to be working now.