Milliways/lenticular_cloud2
4
0
Fork 0
Code Issues 1 Pull requests Packages Projects Releases Wiki Activity

[passkey] check if user owns passkey befor delete

Browse source
This commit is contained in:
tuxcoder 2023-12-26 12:57:59 +01:00
parent 7dff2a964f
commit 2eea083fe7
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lenticular_cloud/views/frontend.py
View file

@ -285,9 +285,13 @@ def passkey_new_process() -> ResponseReturnValue:
def passkey_delete(id: str) -> ResponseReturnValue:
"""delete registered credential"""
user = get_current_user()
form = ButtonForm()
if form.validate_on_submit():
cred = PasskeyCredential.query.filter(PasskeyCredential.id == id).first_or_404()
if cred.user_id != user.id:
return '', 404
db.session.delete(cred)
db.session.commit()
return redirect(url_for('.passkey'))