Not allowed behaviors in the Shopware Store

This page outlines which types of changes are not permitted in Store extensions and highlights the permitted extension patterns you should use instead.

Basic rule

Extensions must not make any direct changes to the existing Shopware structure. This includes in particular:

Direct manipulation of the database (for example, executing SQL queries from the Administration)
Changes to the core table structure
Writing, overwriting, or deleting files within the Shopware core or the existing directory structure
Circumventing designated APIs, DAL, events, or services

Additional prohibitions (security and law)

In addition, extensions are not permitted that:

Undermine security-related protection mechanisms (for example, rights and role concepts, CSRF protection, validations).
Enable uncontrolled system interventions by the shop operator or end customer (for example, arbitrary SQL execution, file access, or shell commands via the Administration UI)
Circumvent or override legal requirements, such as:
- Data protection and consent mechanisms
- Logging, documentation, or verification obligations
- Mandatory information or legally prescribed processes

What is permitted

Extending via the mechanisms provided by Shopware (DAL, migrations, events, decorator pattern, subscribers, services).
Copying existing structures (for example, templates, configurations, assets) and adapting the copy without changing the original.
Creating your own tables, entities, configuration values, or directories, provided these are clearly assigned to the extension.

Why these rules exist

Shopware is deliberately designed so that extensions remain stable, update-proof, and legally compliant. Direct interventions in the database or file system may seem pragmatic, but they pose real risks:

Security risk: Unrestricted SQL or file access can enable data leaks, manipulation, or escalation of user rights
Update failure: Core structures are not a stable contract. What works today may break shops after the next update
Liability risk: Extensions that undermine legal protection mechanisms create problems for merchants and for the ecosystem
Quality standard: The Store stands for trust. Extensions must behave like good guests: they may use the space, but must not remove load-bearing walls

In short, if a feature is only possible through direct SQL, core file manipulation, or bypassing intended interfaces, that is a sign the approach should change — not that the rules are too strict.

Catalog

Checkout

Content

Architecture

Rule system

Accessibility

Extensions

Extension Architecture

APIs

API Flows

Monetization

Tooling

Troubleshooting

DAL Reference

Fields Reference

Testing

Store

Playwright E2E testing

Legacy

Cypress

Unit Testing

Legacy Setups

Apps

App SDKs

JavaScript App Server SDK

Official PHP SDK

App Scripts

Storefront

Administration

Flow Builder

Custom Data

Content

CMS

Rule Builder

Gateways

Checkout

Context

In app purchase

Checkout

Lifecycle

Plugins

Administration

Administration Reference

Advanced Configuration

Data Handling and Processing

Mixins and Directives

Modules and Components

Permissions and Error Handling

Routing and Navigation

Services and Utilities

Templates and Styling

Plugin Architecture

Plugin Fundamentals

Checkout

Cart

Document

Order

Payment

Content

CMS

Mail

Media

SEO

Sitemap

Stock

Database

Framework

Data Handling / Data Abstraction Layer

Custom Fields

Event

Extension Points

Message Queue

Rule

Store API

Filesystem

Flow

Rate Limiter

System Checks

Services

Dependencies