X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b81e83807ec568686a4dbb30d31a32cba5996e5f..b112b002ee3239803d1948e99463144812a2c213:/services/api/app/controllers/application_controller.rb

diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index ba0efa7b53..649aa2b0df 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -345,7 +345,7 @@ class ApplicationController < ActionController::Base
         .all
     end
     @read_auths.select! { |auth| auth.scopes_allow_request? request }
-    @read_users = @read_auths.map { |auth| auth.user }.uniq
+    @read_users = @read_auths.map(&:user).uniq
   end
 
   def require_login
@@ -365,7 +365,7 @@ class ApplicationController < ActionController::Base
   end
 
   def require_auth_scope
-    if @read_auths.empty? || @read_auths[0] != current_api_client_authorization
+    unless current_user && @read_auths.any? { |auth| auth.user.andand.uuid == current_user.uuid }
       if require_login != false
         send_error("Forbidden", status: 403)
       end