Focuses on API authentication, access scopes, and permission management.
Hi,
My App is built using Rails 7, with the current versions of the shopify_app gem and app-bridge.js.
If a store staff member with fewer access scopes than those initially requested by the App is using it, I need to limit some App functionality. This ensures they cannot make changes that they are prevented from making in the Admin panel.
I need to acquire the user's access scopes in order to compare them to the App's requested scopes. Here's what I've tried:
My shopify_app initializer is configured like this:
...
config.embedded_app = true
config.shop_session_repository = "Shop"
config.user_session_repository = "User"
...
I tried querying the 'user_session_repository' for the limited access user and get:
#<User:0x00007f76594b7590
id: 2,
shopify_user_id: 88950702335,
shopify_domain: "fki-store4.myshopify.com",
shopify_token: "[FILTERED]",
...,
access_scopes: "">
The user access scopes are empty.
I tried,
user_access_scopes = ShopifyApp::SessionRepository
.retrieve_user_session_by_shopify_user_id(shopify_user_id)&.scope
Again, the user access scopes are empty.
I tried querying the user provided by app-bridge,
async userInfo() {
const user = await shopify.user();
console.log(user);
}
and get this:
{
"name": "",
"accountAccess": "Limited access"
}
Have I missed something? How can I get the user's access scopes? Suggestions welcomed with thanks.
One last thing, I've also tried using the 'ShopifyApp::EnsureHasSession' concern, but that gave rise to another, unresolved problem.See Controller concern gives CSP error if interested.
Sounds like you are on the right track. I can confirm this works as long as you are getting back an online token. The session docs might help, you just need to see where the access scopes are getting dropped before they get stored
Thanks for replying, it's helpful to know you've got it working. I'll revisit the docs you suggest to see if I've missed something along the way.