From 2eea083fe71c31f51fbba5462436e9481b05d463 Mon Sep 17 00:00:00 2001 From: tuxcoder Date: Tue, 26 Dec 2023 12:57:59 +0100 Subject: [PATCH] [passkey] check if user owns passkey befor delete --- lenticular_cloud/views/frontend.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lenticular_cloud/views/frontend.py b/lenticular_cloud/views/frontend.py index cfdba60..33ea08d 100644 --- a/lenticular_cloud/views/frontend.py +++ b/lenticular_cloud/views/frontend.py @@ -285,9 +285,13 @@ def passkey_new_process() -> ResponseReturnValue: def passkey_delete(id: str) -> ResponseReturnValue: """delete registered credential""" + user = get_current_user() form = ButtonForm() + if form.validate_on_submit(): cred = PasskeyCredential.query.filter(PasskeyCredential.id == id).first_or_404() + if cred.user_id != user.id: + return '', 404 db.session.delete(cred) db.session.commit() return redirect(url_for('.passkey'))