From b3a57bd0ad6515b6a832e62ff3fdc93fb6935be7 Mon Sep 17 00:00:00 2001
From: DaneEveritt <dane@daneeveritt.com>
Date: Sun, 26 Jun 2022 13:23:22 -0400
Subject: [PATCH] fix includes for client API keys on admin accounts; closes
 #4164

---
 app/Transformers/Api/Application/BaseTransformer.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/Transformers/Api/Application/BaseTransformer.php b/app/Transformers/Api/Application/BaseTransformer.php
index bb8f5ce9b..dce0b1442 100644
--- a/app/Transformers/Api/Application/BaseTransformer.php
+++ b/app/Transformers/Api/Application/BaseTransformer.php
@@ -67,11 +67,20 @@ abstract class BaseTransformer extends TransformerAbstract
      */
     protected function authorize(string $resource): bool
     {
+        $allowed = [ApiKey::TYPE_ACCOUNT, ApiKey::TYPE_APPLICATION];
+
         $token = $this->request->user()->currentAccessToken();
-        if (!$token instanceof ApiKey || $token->key_type !== ApiKey::TYPE_APPLICATION) {
+        if (!$token instanceof ApiKey || !in_array($token->key_type, $allowed)) {
             return false;
         }
 
+        // If this is not a deprecated application token type we can only check that
+        // the user is a root admin at the moment. In a future release we'll be rolling
+        // out more specific permissions for keys.
+        if ($token->key_type === ApiKey::TYPE_ACCOUNT) {
+            return $this->request->user()->root_admin;
+        }
+
         return AdminAcl::check($token, $resource, AdminAcl::READ);
     }