From ffe09f4179ec7fb52a9495fdf108a18526610127 Mon Sep 17 00:00:00 2001
From: "Qian (Jim) Fu" <jimfuqian@navapbc.com>
Date: Tue, 15 Oct 2024 15:25:03 -0700
Subject: [PATCH 1/2] fix the temp fix if checking.

---
 apps/capabilities/permissions.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/capabilities/permissions.py b/apps/capabilities/permissions.py
index 173b0a249..fad2c0959 100644
--- a/apps/capabilities/permissions.py
+++ b/apps/capabilities/permissions.py
@@ -38,7 +38,7 @@ def has_permission(self, request, view):
 
             # this is a shorterm fix to reject all tokens that do not have either
             # patient/coverage.read or patient/ExplanationOfBenefit.read
-            if ("patient/Coverage.read" or "patient/ExplanationOfBenefit.read") in token.scope.split():
+            if ("patient/Coverage.read" in token.scope.split()) or ("patient/ExplanationOfBenefit.read" in token.scope.split()):
                 for scope in scopes:
                     for method, path in json.loads(scope):
                         if method != request.method:

From 30f6c6f22c8655cd9807b4e4d387b891afad309a Mon Sep 17 00:00:00 2001
From: jimmyfagan <jimmyfagan@navapbc.com>
Date: Tue, 15 Oct 2024 21:53:58 -0500
Subject: [PATCH 2/2] Minor adjustments

---
 apps/capabilities/permissions.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/capabilities/permissions.py b/apps/capabilities/permissions.py
index fad2c0959..a7bc3b726 100644
--- a/apps/capabilities/permissions.py
+++ b/apps/capabilities/permissions.py
@@ -32,13 +32,14 @@ def has_permission(self, request, view):
             return True
 
         if hasattr(token, "scope"):  # OAuth 2
+            token_scopes = token.scope.split()
             scopes = list(ProtectedCapability.objects.filter(
-                slug__in=token.scope.split()
+                slug__in=token_scopes
             ).values_list('protected_resources', flat=True).all())
 
             # this is a shorterm fix to reject all tokens that do not have either
             # patient/coverage.read or patient/ExplanationOfBenefit.read
-            if ("patient/Coverage.read" in token.scope.split()) or ("patient/ExplanationOfBenefit.read" in token.scope.split()):
+            if ("patient/Coverage.read" in token_scopes) or ("patient/ExplanationOfBenefit.read" in token_scopes):
                 for scope in scopes:
                     for method, path in json.loads(scope):
                         if method != request.method: