From 37765dbebc0c65e5511e836abb54eaf11fd5b6fb Mon Sep 17 00:00:00 2001
From: Andrew <mcdeweykp@gmail.com>
Date: Sat, 18 Jun 2022 17:02:10 -0400
Subject: [PATCH] Fix general user can view any api-key page

---
 app/classes/web/panel_handler.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py
index e234c03c..cbb5de0e 100644
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@@ -1058,6 +1058,9 @@ class PanelHandler(BaseHandler):
             if user_id is None:
                 self.redirect("/panel/error?error=Invalid User ID")
                 return
+            if user_id != exec_user["user_id"] or not exec_user["superuser"]:
+                self.redirect("/panel/error?error=Invalid User ID")
+                return
 
             template = "panel/panel_edit_user_apikeys.html"