From c8edd5f14248d85f0bfe7571bf5dfbcd8b9845e2 Mon Sep 17 00:00:00 2001
From: tobi <tobi.smethurst@protonmail.com>
Date: Tue, 25 Feb 2025 15:04:55 +0100
Subject: [PATCH] tweak scope matcher

---
 internal/api/util/scopes.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/internal/api/util/scopes.go b/internal/api/util/scopes.go
index 830304417..189c4c6b4 100644
--- a/internal/api/util/scopes.go
+++ b/internal/api/util/scopes.go
@@ -93,6 +93,14 @@ const (
 // scope permits the wanted scope.
 func (has Scope) Permits(wanted Scope) bool {
 	switch {
+
+	// Exact match.
+	case has == wanted:
+		return true
+
+	// Check if we have a parent scope
+	// of what's wanted, eg., we have
+	// "admin", we want "admin:read".
 	case has == ScopeRead:
 		return strings.HasPrefix(string(wanted), string(ScopeRead))
 	case has == ScopeWrite:
@@ -103,7 +111,9 @@ func (has Scope) Permits(wanted Scope) bool {
 		return strings.HasPrefix(string(wanted), string(ScopeAdminRead))
 	case has == ScopeAdminWrite:
 		return strings.HasPrefix(string(wanted), string(ScopeAdminWrite))
+
+	// No match.
 	default:
-		return has == wanted
+		return false
 	}
 }