From 6d19d76bac375a428e7e8c7bdecbb33a97b93d2e Mon Sep 17 00:00:00 2001
From: Damodar Lohani <dlohani48@gmail.com>
Date: Thu, 11 Sep 2025 06:51:01 +0000
Subject: [PATCH] Fix scope check

---
 app/controllers/shared/api.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php
index e84699274f..4f7e351084 100644
--- a/app/controllers/shared/api.php
+++ b/app/controllers/shared/api.php
@@ -434,9 +434,9 @@ App::init()
         }
 
         // Step 9: Validate scope permissions
-        $scope = $route->getLabel('scope', 'none');
-        if (!\in_array($scope, $scopes)) {
-            throw new Exception(Exception::GENERAL_UNAUTHORIZED_SCOPE, $user->getAttribute('email', 'User') . ' (role: ' . \strtolower($roles[$role]['label']) . ') missing scope (' . $scope . ')');
+        $allowed = (array)$route->getLabel('scope', 'none');
+        if (empty(\array_intersect($allowed, $scopes))) {
+            throw new Exception(Exception::GENERAL_UNAUTHORIZED_SCOPE, $user->getAttribute('email', 'User') . ' (role: ' . \strtolower($roles[$role]['label']) . ') missing scopes (' . \json_encode($allowed) . ')');
         }
 
         // Step 10: Check if user is blocked