X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/7a98271d94163cdc4afa5bfcf275db353bc062d2..03e570095885982d23e234bce8e1c068314b63af:/services/api/lib/current_api_client.rb

diff --git a/services/api/lib/current_api_client.rb b/services/api/lib/current_api_client.rb
index 401be16c7a..0803d5464d 100644
--- a/services/api/lib/current_api_client.rb
+++ b/services/api/lib/current_api_client.rb
@@ -29,14 +29,17 @@ module CurrentApiClient
     Thread.current[:api_client_ip_address]
   end
 
-  # Does the current API client authorization include any of ok_scopes?
-  def current_api_client_auth_has_scope(ok_scopes)
-    auth_scopes = current_api_client_authorization.andand.scopes || []
-    unless auth_scopes.index('all') or (auth_scopes & ok_scopes).any?
-      logger.warn "Insufficient auth scope: need #{ok_scopes}, #{current_api_client_authorization.inspect} has #{auth_scopes}"
-      return false
-    end
-    true
+  # Is the current API client authorization scoped for the request?
+  def current_api_client_auth_has_scope(req_s)
+    (current_api_client_authorization.andand.scopes || []).select { |scope|
+      if scope == 'all'
+        true
+      elsif scope.end_with? '/'
+        req_s.start_with? scope
+      else
+        req_s == scope
+      end
+    }.any?
   end
 
   def system_user_uuid
@@ -98,9 +101,11 @@ module CurrentApiClient
     if block_given?
       user_was = Thread.current[:user]
       Thread.current[:user] = system_user
-      ret = yield
-      Thread.current[:user] = user_was
-      ret
+      begin
+        yield
+      ensure
+        Thread.current[:user] = user_was
+      end
     else
       Thread.current[:user] = system_user
     end