How do I acquire Staff member access scopes?

Retired Boards Appdev Authentication

Topic summary

A developer using Rails 7 with the shopify_app gem needs to retrieve staff member access scopes to restrict app functionality based on user permissions.

Attempted Solutions (All Unsuccessful):

  • Querying user_session_repository returns empty user_access_scopes
  • Using app-bridge’s shopify.user() returns {"name":"", "accountAccess":"Limited access"} without scopes
  • Implementing the ShopifyApp::EnsureHasSession concern caused unresolved CSP errors

Current Status:
The issue remains unresolved. A community member confirmed this approach should work with online tokens and suggested:

The developer plans to revisit documentation to identify any missed configuration steps.

Summarized with AI on November 12. AI used: claude-sonnet-4-5-20250929.
1

Hi,

My App is built using Rails 7, with the current versions of the shopify_app gem and app-bridge.js.

If a store staff member with fewer access scopes than those initially requested by the App is using it, I need to limit some App functionality. This ensures they cannot make changes that they are prevented from making in the Admin panel.

I need to acquire the user’s access scopes in order to compare them to the App’s requested scopes. Here’s what I’ve tried:

My shopify_app initializer is configured like this:

...
config.embedded_app = true
config.shop_session_repository = "Shop"
config.user_session_repository = "User"
...

I tried querying the ‘user_session_repository’ for the limited access user and get:

#

The user access scopes are empty.

I tried,

```ruby
user_access_scopes = ShopifyApp::SessionRepository
                     .retrieve_user_session_by_shopify_user_id(shopify_user_id)&.scope

Again, the user access scopes are empty.

I tried querying the user provided by app-bridge,

async userInfo() {
const user = await shopify.user();
console.log(user);
}

and get this:

{
"name": "",
"accountAccess": "Limited access"
}

Have I missed something? How can I get the user’s access scopes? Suggestions welcomed with thanks.

One last thing, I’ve also tried using the ‘ShopifyApp::EnsureHasSession’ concern, but that gave rise to another, unresolved problem.See Controller concern gives CSP error if interested.

2

Sounds like you are on the right track. I can confirm this works as long as you are getting back an online token. The session docs might help, you just need to see where the access scopes are getting dropped before they get stored

3

Thanks for replying, it’s helpful to know you’ve got it working. I’ll revisit the docs you suggest to see if I’ve missed something along the way.