Shopify: STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend

I discovered a bug in an android mobile app that allowed STAFF No Permissions using Receipt Send to Mobile of any Order information in the Store. Steps to reproduce: 1 STAFF account is created and assigned "No Permissions" on a Shop by Owner/Admin 2 STAFF then login to shop. Notice that STAFF is...