From cbde123aa1c33f1919bf4ee5c6e99ec50f46f90e Mon Sep 17 00:00:00 2001
From: KernelDeimos <7225168+KernelDeimos@users.noreply.github.com>
Date: Tue, 3 Feb 2026 15:19:00 -0500
Subject: [PATCH] fix(backend): undo part of `35461a0`

It turns out this part of `35461a0` was not necessary to fix this issue,
and the code is still more correct if it falls true when the token's
authorizor has a permission granted.
---
 src/backend/src/services/auth/ACLService.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/backend/src/services/auth/ACLService.js b/src/backend/src/services/auth/ACLService.js
index d92517236..5e21383c2 100644
--- a/src/backend/src/services/auth/ACLService.js
+++ b/src/backend/src/services/auth/ACLService.js
@@ -425,7 +425,8 @@ class ACLService extends BaseService {
         // Access tokens only work if the authorizer has permission
         if ( actor.type instanceof AccessTokenActorType ) {
             const authorizer = actor.type.authorizer;
-            return await this._check_fsNode(authorizer, fsNode, mode);
+            const authorizer_perm = await this._check_fsNode(authorizer, fsNode, mode);
+            if ( ! authorizer_perm ) return false;
         }
 
         // Hard rule: if app-under-user is accessing appdata directory, allow