Fixed permission check when deleting API keys (fixes #2204)

This commit is contained in:
Bernd Bestel 2023-04-30 22:32:08 +02:00
parent df4907f5d4
commit 7ee79ec56c
No known key found for this signature in database
GPG Key ID: 71BD34C0D4891300
3 changed files with 6 additions and 3 deletions

View File

@ -88,6 +88,7 @@
### General
- Added a new `config.php` setting `ENERGY_UNIT` to customize the label to display energy values (was fixed `kcal` before and defaults to that, so no changed behavior when not configured)
- Fixed that users were unable to delete their own API keys (when not having the `All permissions` permission)
- New translations: (thanks all the translators)
- Romanian (demo available at <https://ro.demo.grocy.info>)

View File

@ -89,6 +89,10 @@ class GenericEntityApiController extends BaseApiController
{
User::checkPermission($request, User::PERMISSION_EQUIPMENT);
}
elseif ($args['entity'] == 'api_keys')
{
// Always allowed
}
else
{
User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);

View File

@ -5821,9 +5821,7 @@
},
"ExposedEntityEditRequiresAdmin": {
"type": "string",
"enum": [
"api_keys"
]
"enum": []
},
"StockTransactionType": {
"type": "string",