staffOrderNotificationSubscriptionCreate Is Not Blocked Entirely From Staff Member With Settings Permission

Hi, I found that the GraphQL call `staffOrderNotificationSubscriptionCreate` is not blocked from the staff member with Settings permission ## Steps to reproduce - Login as a staff member with `Settings` permission - Make this GraphQL call to `https://yoursubdomain.myshopify.com/admin/internal/web/graphql/core?operation=SwitcherNoStores` ``` {"query": "mutation{staffOrderNotificationSubscriptionCreate(notificationRecipientIdentifier:\"[email protected]\",notificationRecipientType:EMAIL){staffOrderNotificationSubscription{id}}} "} ``` - The response you see should be `Access denied for staffOrderNotificationSubscription field. Required access: `read_notification_settings` access scope. Also: User must have access to orders.`, and you would think this means a dead end, but reality is you have already added the order notification to the settings - Visit `/admin/settings/notifications` as an admin, you should notice the email `[email protected]` is added to the order notification already ## Screenshot video {F1194404} ## Impact I found that the GraphQL call `staffOrderNotificationSubscriptionCreate` is not blocked from the staff member with Settings permission