diff --git a/web/login/login.py b/web/login/login.py
index e33b974f5cb98817051d68240d293dfa83350b53..14341f6d3dad7e1d8f3dd3fe7c778268d8514fa5 100644
--- a/web/login/login.py
+++ b/web/login/login.py
@@ -256,16 +256,19 @@ def consent():
     # Default access level
     roles = []
     if app_obj:
-        role_objects = (
+        role_object = (
             db.session.query(AppRole)
             .filter(AppRole.app_id == app_obj.id)
             .filter(AppRole.user_id == user.uuid)
+            .first()
         )
-        for role_obj in role_objects:
-            app_role = RoleService.get_role_by_id(role_obj.role_id)
-            if (app_role is None):
-                roles.append('user')
-                continue
+        print(role_object)
+        if role_object is None or role_object.role_id is None:
+            # If there is no role in app_roles or the role_id for an app is null user has no permissions
+            # TODO: how to handle if the user has no access for an app?
+            current_app.logger.error(f"User has no access for: {app_obj.name}")
+        app_role = RoleService.get_role_by_id(role_object.role_id)
+        if (app_role is not None):
             roles.append(app_role.name)
 
     current_app.logger.info(f"Using '{roles}' when applying consent for {kratos_id}")