X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/d7e559136a7ed5ee3f178b26aa2b5924cea1bca7..9d33e0c4f98da668b23b85c54d20d22fe4b0f342:/services/api/app/models/api_client_authorization.rb

diff --git a/services/api/app/models/api_client_authorization.rb b/services/api/app/models/api_client_authorization.rb
index c587e5830a..b0c2f31e4f 100644
--- a/services/api/app/models/api_client_authorization.rb
+++ b/services/api/app/models/api_client_authorization.rb
@@ -61,13 +61,17 @@ class ApiClientAuthorization < ArvadosModel
   end
 
   def scopes_allow_request?(request)
-    scopes_allow? [request.request_method, request.path].join(' ')
+    method = request.request_method
+    if method == 'HEAD'
+      (scopes_allow?(['HEAD', request.path].join(' ')) ||
+       scopes_allow?(['GET', request.path].join(' ')))
+    else
+      scopes_allow?([method, request.path].join(' '))
+    end
   end
 
   def logged_attributes
-    attrs = attributes.dup
-    attrs.delete('api_token')
-    attrs
+    super.except 'api_token'
   end
 
   def self.default_orders
@@ -82,8 +86,9 @@ class ApiClientAuthorization < ArvadosModel
 
   def permission_to_update
     (permission_to_create and
-     not self.user_id_changed? and
-     not self.owner_uuid_changed?)
+     not uuid_changed? and
+     not user_id_changed? and
+     not owner_uuid_changed?)
   end
 
   def log_update