cancel
Showing results for 
Search instead for 
Did you mean: 

User with limited scope / rights can bypass using API ???

User with limited scope / rights can bypass using API ???

Hi, 

 

Not sure if tired or just in a "wtf" moment.

 

- Using Magento 2 Cloud Entreprise

- Create a User test + an associated Role

- Tick only "orders" for this role / user

- Limit this role to a specific website (website1.com)

 

Connecting via API, using "test" credentials, allows user "test" to fetch ALL orders (whatever the website).

 

Am I missing something here ?