Minor API handling fixes.

app/Policies/APIKeyPolicy.php

@@ -43,7 +43,7 @@ class APIKeyPolicy
     protected function checkPermission(User $user, Key $key, $permission)
     {
         // Non-administrative users cannot use administrative routes.
-        if (! starts_with('user.') && ! $user->isRootAdmin()) {
+        if (! starts_with($key, 'user.') && ! $user->isRootAdmin()) {
             return false;
         }
 

app/Repositories/APIRepository.php

@@ -147,7 +147,7 @@ class APIRepository
             if ($this->user->isRootAdmin() && isset($data['admin_permissions'])) {
                 unset($pNodes['_user']);
 
-                foreach ($data['admin_permissions'] as $permNode) {
+                foreach ($data['admin_permissions'] as $permission) {
                     $parts = explode('-', $permission);
 
                     if (count($parts) !== 2) {