diff --git a/lenticular_cloud/views/frontend.py b/lenticular_cloud/views/frontend.py index cfdba60..33ea08d 100644 --- a/lenticular_cloud/views/frontend.py +++ b/lenticular_cloud/views/frontend.py @@ -285,9 +285,13 @@ def passkey_new_process() -> ResponseReturnValue: def passkey_delete(id: str) -> ResponseReturnValue: """delete registered credential""" + user = get_current_user() form = ButtonForm() + if form.validate_on_submit(): cred = PasskeyCredential.query.filter(PasskeyCredential.id == id).first_or_404() + if cred.user_id != user.id: + return '', 404 db.session.delete(cred) db.session.commit() return redirect(url_for('.passkey'))