diff --git a/dashboard/api.py b/dashboard/api.py
index 97aeb83..d04649a 100644
--- a/dashboard/api.py
+++ b/dashboard/api.py
@@ -122,7 +122,8 @@ class TaskBoardHandler(SimpleHTTPRequestHandler):
             for base in allowed_dirs:
                 try:
                     candidate = (base / path).resolve()
-                    if str(candidate).startswith(str(base)):
+                    # Check if candidate is within ANY allowed directory (handles symlinks)
+                    if any(str(candidate).startswith(str(d)) for d in allowed_dirs):
                         target = candidate
                         workspace = base
                         break
@@ -669,7 +670,8 @@ class TaskBoardHandler(SimpleHTTPRequestHandler):
         for base in allowed_dirs:
             try:
                 candidate = (base / path).resolve()
-                if str(candidate).startswith(str(base)):
+                # Check if candidate is within ANY allowed directory (handles symlinks)
+                if any(str(candidate).startswith(str(d)) for d in allowed_dirs):
                     target = candidate
                     workspace = base
                     break