User with marketing role can change pricing and availability

Originator:max
Number:rdar://FB9071197 Date Originated:4/7/2021
Status:Open Resolved:
Product:App Store Connect Product Version:
Classification: Reproducible:Always
 
Basic information

User with marketing role can change pricing and availability

Which area are you seeing an issue with?
App Store Connect

What type of feedback are you reporting?
Incorrect/Unexpected Behavior

Description

Please describe the issue:
It is possible for a user with only marketing role to programmatically change the price and availability of an app on App Store Connect. It's not possible to do this through the interface and should not be possible at all following the docs: https://developer.apple.com/support/roles/ (Status is "Read-only access" for "Edit app pricing and availability". For a proof of concept we used the open source library "fastlane" (https://github.com/fastlane/fastlane) but it should be possible with tools like Postman or similar to make the web request.

Please list the steps you took to reproduce the issue:
1. Install fastlane: https://github.com/fastlane/fastlane
2. Install irb
3. Open Terminal
4. Start IRB $ bundle exec irb
5. Load spaceship: $ require "spaceship"
6. Login with Apple ID with role marketing-only: $ Spaceship::Tunes.login("apple@id.com", "password")
7. Get app $ app = Spaceship::ConnectAPI::App.find("com.sample.test")
8. Change price, make sure to choose a different value. App should already have a price. $ app.update(app_price_tier_id: "25")
9. Verify on App Store Connect that price did indeed get changed. There is no error message or similar.

What did you expect to happen?
Get error message from App Store Connect similar to 403 {"errors"=>[{"id"=>"e6542d56-ecab-4867-813b-cd553cb3f9e2", "status"=>"403", "code"=>"FORBIDDEN_ERROR", "title"=>"This request is forbidden for security reasons", "detail"=>"The Apple ID in use does not allow this request"}]

What actually happened?
Price did get changed on App Store Connect.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!