Check client when creating client on api

2025-02-25 18:55:29 -06:00 · 2022-02-16 12:58:26 -07:00 · 2022-02-16 12:58:26 -07:00 · 0b9a175ce9
commit 0b9a175ce9
parent 6f12fc2633
1 changed files with 8 additions and 0 deletions
--- a/api.go
+++ b/api.go
@ -175,8 +175,16 @@ func (a *Api) handleUsers(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	} else if len(parts) == 3 && parts[1] == "clients" {
+
 		ownerId := parts[0]
 		clientId := parts[2]
+
+		if tokenData.Client != "" && clientId != tokenData.Client {
+			w.WriteHeader(403)
+			io.WriteString(w, "Token cannot be used to modify this user's clients")
+			return
+		}
+
 		if r.Method == "PUT" {
 			err := a.SetClient(tokenData, r.Form, ownerId, clientId)
 			if err != nil {