Merge branch 'master' into brandon/BB2-3349-update-django

CMSgov · Oct 16, 2024 · f8e6c43 · f8e6c43
2 parents addbfae + cb83285
commit f8e6c43
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/apps/capabilities/permissions.py b/apps/capabilities/permissions.py
@@ -32,13 +32,14 @@ def has_permission(self, request, view):
             return True
 
         if hasattr(token, "scope"):  # OAuth 2
+            token_scopes = token.scope.split()
             scopes = list(ProtectedCapability.objects.filter(
-                slug__in=token.scope.split()
+                slug__in=token_scopes
             ).values_list('protected_resources', flat=True).all())
 
             # this is a shorterm fix to reject all tokens that do not have either
             # patient/coverage.read or patient/ExplanationOfBenefit.read
-            if ("patient/Coverage.read" or "patient/ExplanationOfBenefit.read") in token.scope.split():
+            if ("patient/Coverage.read" in token_scopes) or ("patient/ExplanationOfBenefit.read" in token_scopes):
                 for scope in scopes:
                     for method, path in json.loads(scope):
                         if method != request.method: