From e5a4d72e45bef5085963916473915ce2d8fd48ae Mon Sep 17 00:00:00 2001
From: Alexander VanTol <Avantol13@users.noreply.github.com>
Date: Wed, 14 Mar 2018 15:22:54 -0500
Subject: [PATCH] fix(api-key-deletion): don't allow users to delete other
 users keys (#161)

---
 fence/blueprints/storage_creds.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fence/blueprints/storage_creds.py b/fence/blueprints/storage_creds.py
index ed0c6f4d8..c89e136bf 100644
--- a/fence/blueprints/storage_creds.py
+++ b/fence/blueprints/storage_creds.py
@@ -314,7 +314,7 @@ def delete_keypair(provider, access_key):
             api_key = (
                 session
                 .query(UserRefreshToken)
-                .filter_by(jti=jti)
+                .filter_by(jti=jti, userid=flask.g.user.id)
                 .first()
             )
         if not api_key: