From 21f7b55c8a9808e07baef3aba42a21034390e722 Mon Sep 17 00:00:00 2001
From: Szymon Nowakowski <renati@renati.me>
Date: Wed, 8 Oct 2025 00:43:21 +0200
Subject: [PATCH] Fix very faulty authorization

---
 packages/backend/src/the_api.ts | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/packages/backend/src/the_api.ts b/packages/backend/src/the_api.ts
index 05875e9..4d0f3d7 100644
--- a/packages/backend/src/the_api.ts
+++ b/packages/backend/src/the_api.ts
@@ -1,6 +1,6 @@
 import { AttachmentId, PieceId, RepertoireId, Sha256 } from "common";
 import api, { NotFound, Role, Unauthorized } from "common/the_api";
-import { DateTime, Effect, HashSet, Option, pipe } from "effect";
+import { DateTime, Effect, HashSet, Number, Option, pipe } from "effect";
 import { sql } from "kysely";
 import { implement } from "./api";
 import * as Authentication from "./services/Authentication";
@@ -17,7 +17,11 @@ const requireAuthenticated = pipe(
 const requireReadAccess = pipe(
 	Authentication.Authentication,
 	Effect.flatMap(({ me }) => me),
-	Effect.flatMap((user) => HashSet.isSubset(user.roles, READ_ACCESS)
+	Effect.flatMap((user) => pipe(
+		HashSet.intersection(user.roles, READ_ACCESS),
+		HashSet.size,
+		Number.greaterThan(0),
+	)
 		? Effect.succeed(user)
 		: Effect.fail(Unauthorized.make())
 	),
@@ -26,7 +30,11 @@ const requireReadAccess = pipe(
 const requireWriteAccess = pipe(
 	Authentication.Authentication,
 	Effect.flatMap(({ me }) => me),
-	Effect.flatMap((user) => HashSet.isSubset(user.roles, WRITE_ACCESS)
+	Effect.flatMap((user) => pipe(
+		HashSet.intersection(user.roles, WRITE_ACCESS),
+		HashSet.size,
+		Number.greaterThan(0),
+	)
 		? Effect.succeed(user)
 		: Effect.fail(Unauthorized.make())
 	),