diff --git a/hosts/by-name/servo/services/export/sftpgo_external_auth_hook b/hosts/by-name/servo/services/export/sftpgo_external_auth_hook
index 6f4a5aa4..329bf137 100755
--- a/hosts/by-name/servo/services/export/sftpgo_external_auth_hook
+++ b/hosts/by-name/servo/services/export/sftpgo_external_auth_hook
@@ -42,7 +42,25 @@ import os
 
 authFail = dict(username="")
 
-def mkAuthOk(username: str) -> dict:
+PERM_RO = [ "list", "download" ]
+PERM_RW = [
+  # read-only:
+  "list",
+  "download",
+  # write:
+  "upload",
+  "overwrite",
+  "delete",
+  "rename",
+  "create_dirs",
+  "create_symlinks",
+  # intentionally omitted:
+  # "chmod",
+  # "chown",
+  # "chtimes",
+]
+
+def mkAuthOk(username: str, permissions: dict[str, list[str]]) -> dict:
   return dict(
     status = 1,
     username = username,
@@ -60,25 +78,7 @@ def mkAuthOk(username: str) -> dict:
     # quota_*: 0 means to not use SFTP's quota system
     quota_size = 0,
     quota_files = 0,
-    permissions = {
-      "/": [ "list", "download" ],
-      "/playground": [
-        # read-only:
-        "list",
-        "download",
-        # write:
-        "upload",
-        "overwrite",
-        "delete",
-        "rename",
-        "create_dirs",
-        "create_symlinks",
-        # intentionally omitted:
-        # "chmod",
-        # "chown",
-        # "chtimes",
-      ],
-    },
+    permissions = permissions,
     upload_bandwidth = 0,
     download_bandwidth = 0,
     filters = dict(
@@ -100,7 +100,7 @@ def isLan(ip: str) -> bool:
 def isWireguard(ip: str) -> bool:
   return ip.startswith("10.0.10.")
 
-def getAuthResponse(username: str, ip: str) -> dict:
+def getAuthResponse(ip: str, username: str) -> dict:
   """
   return a sftpgo auth response either denying the user or approving them
   with a set of permissions.
@@ -108,17 +108,23 @@ def getAuthResponse(username: str, ip: str) -> dict:
   if isLan(ip):
     if username == "anonymous":
       # allow anonymous users on the LAN
-      return mkAuthOk("anonymous")
+      return mkAuthOk("anonymous", permissions = {
+        "/": PERM_RO,
+        "/playground": PERM_RW,
+      })
   if isWireguard(ip):
-      # allow any user from wireguard
-      return mkAuthOk(username)
+    # allow any user from wireguard
+    return mkAuthOk(username, permissions = {
+      "/": PERM_RW,
+      "/playground": PERM_RW,
+    })
 
   return authFail
 
 def main():
-  username = os.environ.get("SFTPGO_AUTHD_USERNAME")
-  ip = os.environ.get("SFTPGO_AUTHD_IP")
-  resp = getAuthResponse(username, ip)
+  ip = os.environ.get("SFTPGO_AUTHD_IP", "")
+  username = os.environ.get("SFTPGO_AUTHD_USERNAME", "")
+  resp = getAuthResponse(ip, username)
   print(json.dumps(resp))
 
 if __name__ == "__main__":