mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-07-15 06:12:15 -05:00
PermissionsAreValid only consulted apiTokenRoutes, so a v2-only resource (no v1 counterpart) could never be granted as a token scope even though CanDoAPIRoute already authorises against both tables. Validate against the union so the v1+v2 authorization and validation paths agree.