diff --git a/ui/app/models/capabilities.js b/ui/app/models/capabilities.js
index 2fea24ba7703..04b91b146c93 100644
--- a/ui/app/models/capabilities.js
+++ b/ui/app/models/capabilities.js
@@ -33,7 +33,7 @@ const computedCapability = function(capability) {
       return false;
     }
     // if the path is sudo protected, they'll need sudo + the appropriate capability
-    if (SUDO_PATHS.includes(path) || SUDO_PATH_PREFIXES.find(item => item.startsWith(path))) {
+    if (SUDO_PATHS.includes(path) || SUDO_PATH_PREFIXES.find(item => path.startsWith(item))) {
       return capabilities.includes('sudo') && capabilities.includes(capability);
     }
     return capabilities.includes(capability);
diff --git a/ui/tests/unit/models/capabilities-test.js b/ui/tests/unit/models/capabilities-test.js
index fdd545022858..cd490fce972c 100644
--- a/ui/tests/unit/models/capabilities-test.js
+++ b/ui/tests/unit/models/capabilities-test.js
@@ -81,4 +81,46 @@ module('Unit | Model | capabilities', function(hooks) {
     assert.notOk(model.get('canDelete'));
     assert.notOk(model.get('canList'));
   });
+
+  test('it does not require sudo on sys/leases/revoke if update capability is present and path is not fully a sudo prefix', function(assert) {
+    let model = run(() =>
+      this.owner.lookup('service:store').createRecord('capabilities', {
+        path: 'sys/leases/revoke',
+        capabilities: ['update', 'read'],
+      })
+    );
+    assert.ok(model.get('canRead'));
+    assert.notOk(model.get('canCreate'), 'sudo requires the capability to be set as well');
+    assert.ok(model.get('canUpdate'), 'should not require sudo if it has update');
+    assert.notOk(model.get('canDelete'));
+    assert.notOk(model.get('canList'));
+  });
+
+  test('it requires sudo on prefix path even if capability is present', function(assert) {
+    let model = run(() =>
+      this.owner.lookup('service:store').createRecord('capabilities', {
+        path: SUDO_PATH_PREFIXES[0] + '/aws',
+        capabilities: ['update', 'read'],
+      })
+    );
+    assert.notOk(model.get('canRead'));
+    assert.notOk(model.get('canCreate'));
+    assert.notOk(model.get('canUpdate'), 'should still require sudo');
+    assert.notOk(model.get('canDelete'));
+    assert.notOk(model.get('canList'));
+  });
+
+  test('it does not require sudo on prefix path if both update and sudo capabilities are present', function(assert) {
+    let model = run(() =>
+      this.owner.lookup('service:store').createRecord('capabilities', {
+        path: SUDO_PATH_PREFIXES[0] + '/aws',
+        capabilities: ['sudo', 'update', 'read'],
+      })
+    );
+    assert.ok(model.get('canRead'));
+    assert.notOk(model.get('canCreate'));
+    assert.ok(model.get('canUpdate'), 'should not require sudo');
+    assert.notOk(model.get('canDelete'));
+    assert.notOk(model.get('canList'));
+  });
 });