[passkey] check if user owns passkey befor delete
This commit is contained in:
parent
7dff2a964f
commit
2eea083fe7
|
@ -285,9 +285,13 @@ def passkey_new_process() -> ResponseReturnValue:
|
|||
def passkey_delete(id: str) -> ResponseReturnValue:
|
||||
"""delete registered credential"""
|
||||
|
||||
user = get_current_user()
|
||||
form = ButtonForm()
|
||||
|
||||
if form.validate_on_submit():
|
||||
cred = PasskeyCredential.query.filter(PasskeyCredential.id == id).first_or_404()
|
||||
if cred.user_id != user.id:
|
||||
return '', 404
|
||||
db.session.delete(cred)
|
||||
db.session.commit()
|
||||
return redirect(url_for('.passkey'))
|
||||
|
|
Loading…
Reference in a new issue