staffOrderNotificationSubscriptionDelete Could Be Used By Staff Member With Settings Permission

Hi, The staff order notification should be under the control of staff members with `Order` permission but I found that the staff member with just `Settings` permission can also delete the order notifications using the GID Steps to reproduce - Login as a staff member with `Settings` permission - Make this GraphQL call to `https://yoursubdomain.myshopify.com/admin/internal/web/graphql/core?operation=SwitcherNoStores` ``` {"query": "mutation{staffOrderNotificationSubscriptionDelete(staffOrderNotificationSubscriptionId:\"gid://shopify/StaffOrderNotificationSubscription/82867191864\"){userErrors{message}}} "} ``` - Note: you can find the `82867191864` id from `/admin/settings/notifications` as an admin account, in the `Staff order notifications` section, after adding a order notification and the id is in the URL - The response you see should be `{"staffOrderNotificationSubscriptionDelete":{"userErrors":[]}}`, and this means you have deleted the subscription already ## Impact The staff order notification should be under the control of staff members with `Order` permission but I found that the staff member with just `Settings` permission can also delete the order notifications using the GID