From e18f1a6eb53e4e06c8b872b2ae775a68dd0795f0 Mon Sep 17 00:00:00 2001
From: Kristaps Fabians Geikins <fabians@speckle.systems>
Date: Fri, 25 Apr 2025 18:47:36 +0300
Subject: [PATCH] fix(server): blob read should not require write scope (#4610)

---
 packages/server/modules/shared/authz.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/modules/shared/authz.ts b/packages/server/modules/shared/authz.ts
index 87882c3c8..ea997f004 100644
--- a/packages/server/modules/shared/authz.ts
+++ b/packages/server/modules/shared/authz.ts
@@ -373,7 +373,7 @@ export const streamCommentsWritePermissionsPipelineFactory =
   ]
 
 export const streamReadPermissionsPipelineFactory = (): AuthPipelineFunction[] => [
-  validateScope({ requiredScope: Scopes.Streams.Write }),
+  validateScope({ requiredScope: Scopes.Streams.Read }),
   validateStreamPolicyAccessFactory({
     policyInvoker: async ({ authData, policies }) =>
       policies.project.canRead({