From fd0da1ef203ab4a43990e944570ae4a88c6b0868 Mon Sep 17 00:00:00 2001
From: Andrew <mcdeweykp@gmail.com>
Date: Sat, 18 Jun 2022 16:20:57 -0400
Subject: [PATCH] Fix any user can recieve all api keys

---
 app/classes/web/panel_handler.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py
index bb44138f..4f6dfe87 100644
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@@ -1926,6 +1926,12 @@ class PanelHandler(BaseHandler):
                 self.redirect("/panel/error?error=Invalid Key ID")
                 return
 
+            if key.user_id != exec_user["user_id"]:
+                self.redirect(
+                    "/panel/error?error=You are not authorized to access this key."
+                )
+                return
+
             self.controller.management.add_to_audit_log(
                 exec_user["user_id"],
                 f"Generated a new API token for the key {key.name} "