ACCESS_DENIED on GraphQL themes.files query

GraphQL Admin API Troubleshooting
1

Dear Colleagues,

I am running into a frustrating permissions issue with the GraphQL Admin API while querying theme files, and I want to confirm if my understanding of Shopify’s security model here is correct.

The Setup:

My app has the following scopes requested:

  • write_themes

  • read_themes

I am running the following GraphQL query to read a specific theme file (templates/test.json):

GraphQL

query {
  themes(first: 10) {
    edges {
      node {
        name
        id
        role
        files (first: 10, filenames: ["templates/test.json"]) {
          edges {
            node {
              filename
              body {
                ... on OnlineStoreThemeFileBodyText {
                  content
                }
              }
              contentType
            }
          }    
        }
      }
    }
  }
}

The Problem:

The app is installed on several dev-stores. The GraphQL works on all dev-stores except one. For the failing dev-store, it returns.

  path: [ 'themes', 'edges', 2, 'node', 'files' ],
  extensions: {
    code: 'ACCESS_DENIED',
    documentation: 'https://shopify.dev/api/usage/access-scopes'
  }

My Questions:

Do you have any idea why the GraphQL works on all dev-stores except one? Thank you in advance.

1 Like
2

Hey @Emarsys_Marketing_Pl, thanks for sharing this.

That is strange that a single development store is behaving different than the others. Is it the same app on all stores?

Were the other stores created differently than the one that shows the error. ie they were created in the partner dashboard vs the dev dashboard?

If you can give me an idea of anything that may be different with that one store I’ll see if I can replicate it.

3

Hi there,

One thing worth checking on that specific store — if the theme returning the error has a DEMO role, Shopify blocks file access on demo themes even with read_themes scope. The error lands on the theme node level so it can be easy to miss which theme in the list is actually causing it.

You can verify by filtering the response by role and seeing if the failing store has a demo theme in that list. If that’s the case it’s not a permissions issue with your app.

1 Like
4

Thank you very much! It is exactly the root cause. Thank you again for your great insight!