fix(api-key-deletion): don't allow users to delete other users keys (#…

…161)
uc-cdis · Mar 14, 2018 · e5a4d72 · e5a4d72
1 parent f52b05c
commit e5a4d72
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/fence/blueprints/storage_creds.py b/fence/blueprints/storage_creds.py
@@ -314,7 +314,7 @@ def delete_keypair(provider, access_key):
             api_key = (
                 session
                 .query(UserRefreshToken)
-                .filter_by(jti=jti)
+                .filter_by(jti=jti, userid=flask.g.user.id)
                 .first()
             )
         if not api_key: