From 7ee79ec56c62eea18c9e6675b96897439368626d Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Sun, 30 Apr 2023 22:32:08 +0200
Subject: [PATCH] Fixed permission check when deleting API keys (fixes #2204)

---
 changelog/70_UNRELEASED_xxxx.xx.xx.md      | 1 +
 controllers/GenericEntityApiController.php | 4 ++++
 grocy.openapi.json                         | 4 +---
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/changelog/70_UNRELEASED_xxxx.xx.xx.md b/changelog/70_UNRELEASED_xxxx.xx.xx.md
index 75f96e75..0f2e2ee8 100644
--- a/changelog/70_UNRELEASED_xxxx.xx.xx.md
+++ b/changelog/70_UNRELEASED_xxxx.xx.xx.md
@@ -88,6 +88,7 @@
 ### General
 
 - Added a new `config.php` setting `ENERGY_UNIT` to customize the label to display energy values (was fixed `kcal` before and defaults to that, so no changed behavior when not configured)
+- Fixed that users were unable to delete their own API keys (when not having the `All permissions` permission)
 - New translations: (thanks all the translators)
   - Romanian (demo available at <https://ro.demo.grocy.info>)
 
diff --git a/controllers/GenericEntityApiController.php b/controllers/GenericEntityApiController.php
index a3208323..c939a6f1 100644
--- a/controllers/GenericEntityApiController.php
+++ b/controllers/GenericEntityApiController.php
@@ -89,6 +89,10 @@ class GenericEntityApiController extends BaseApiController
 		{
 			User::checkPermission($request, User::PERMISSION_EQUIPMENT);
 		}
+		elseif ($args['entity'] == 'api_keys')
+		{
+			// Always allowed
+		}
 		else
 		{
 			User::checkPermission($request, User::PERMISSION_MASTER_DATA_EDIT);
diff --git a/grocy.openapi.json b/grocy.openapi.json
index fd2fda91..bd5bde62 100644
--- a/grocy.openapi.json
+++ b/grocy.openapi.json
@@ -5821,9 +5821,7 @@
 			},
 			"ExposedEntityEditRequiresAdmin": {
 				"type": "string",
-				"enum": [
-					"api_keys"
-				]
+				"enum": []
 			},
 			"StockTransactionType": {
 				"type": "string",