diff --git a/apps/capabilities/permissions.py b/apps/capabilities/permissions.py index 173b0a249..a7bc3b726 100644 --- a/apps/capabilities/permissions.py +++ b/apps/capabilities/permissions.py @@ -32,13 +32,14 @@ def has_permission(self, request, view): return True if hasattr(token, "scope"): # OAuth 2 + token_scopes = token.scope.split() scopes = list(ProtectedCapability.objects.filter( - slug__in=token.scope.split() + slug__in=token_scopes ).values_list('protected_resources', flat=True).all()) # this is a shorterm fix to reject all tokens that do not have either # patient/coverage.read or patient/ExplanationOfBenefit.read - if ("patient/Coverage.read" or "patient/ExplanationOfBenefit.read") in token.scope.split(): + if ("patient/Coverage.read" in token_scopes) or ("patient/ExplanationOfBenefit.read" in token_scopes): for scope in scopes: for method, path in json.loads(scope): if method != request.method: