Fix any user can recieve all api keys

2025-01-19 09:45:28 +01:00 · 2022-06-18 16:20:57 -04:00 · 2022-06-18 16:20:57 -04:00 · fd0da1ef20
commit fd0da1ef20
parent 5bb17eae33
1 changed files with 6 additions and 0 deletions
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@ -1926,6 +1926,12 @@ class PanelHandler(BaseHandler):
                self.redirect("/panel/error?error=Invalid Key ID")
                return

+            if key.user_id != exec_user["user_id"]:
+                self.redirect(
+                    "/panel/error?error=You are not authorized to access this key."
+                )
+                return
+
            self.controller.management.add_to_audit_log(
                exec_user["user_id"],
                f"Generated a new API token for the key {key.name} "