Shopify: STAFF "No-Permissions" on the Store can retrieve the details Order via exchangeReceiptSend

I discovered a bug in an android mobile app that allowed STAFF No Permissions using Receipt Send to Mobile of any Order information in the Store. Steps to reproduce: 1 STAFF account is created and assigned "No Permissions" on a Shop by Owner/Admin 2 STAFF then login to shop. Notice that STAFF is...

Shopify: Staff member with no permission can delete POS staff from account settings

Hello Team Description Shopify POS also has staff settings only for POS purposes where an admin can add POS Shopify staff along with fname,lname, email address, and generated pin. Reference - https://help.shopify.com/en/manual/sell-in-person/pos-classic/setup/staff-settings After creation, Shopif...