Fix issue where any user could add/remove api keys

2024-08-30 18:23:09 +00:00 · 2022-06-18 16:55:39 -04:00 · 2022-06-18 16:55:39 -04:00 · 72f97e4ff0
commit 72f97e4ff0
parent fd0da1ef20
1 changed files with 16 additions and 0 deletions
--- a/app/classes/web/panel_handler.py
+++ b/app/classes/web/panel_handler.py
@ -1893,6 +1893,13 @@ class PanelHandler(BaseHandler):
                self.redirect("/panel/error?error=Invalid User ID")
                return

+            if user_id != exec_user["user_id"] or not exec_user["superuser"]:
+                self.redirect(
+                    "/panel/error?error=You do not have access to change"
+                    + "this user's api key."
+                )
+                return
+
            crafty_permissions_mask = self.get_perms()
            server_permissions_mask = self.get_perms_server()

@ -2148,6 +2155,15 @@ class PanelHandler(BaseHandler):
                self.redirect("/panel/error?error=Invalid Key ID")
                return

+            key_obj = self.controller.users.get_user_api_key(key_id)
+
+            if key_obj.user_id != exec_user["user_id"] or not exec_user["superuser"]:
+                self.redirect(
+                    "/panel/error?error=You do not have access to change"
+                    + "this user's api key."
+                )
+                return
+
            self.controller.users.delete_user_api_key(key_id)

            self.controller.management.add_to_audit_log(