double check admin key holders (#761)

2026-04-20 00:35:22 +00:00 · 2026-01-03 09:08:08 -05:00 · 2026-01-03 09:08:08 -05:00 · f406bec762
commit f406bec762
parent ae7d9c73fb
1 changed files with 8 additions and 1 deletions
--- a/app/controllers/api/admin/application_controller.rb
+++ b/app/controllers/api/admin/application_controller.rb
@ -13,7 +13,14 @@ module Api

          if @admin_api_key
            @current_user = @admin_api_key.user
-            @current_user.admin_level.in?([ "admin", "superadmin", "viewer" ])
+
+            unless @current_user.admin_level.in?([ "admin", "superadmin", "viewer" ])
+              @admin_api_key.revoke!
+              render json: { error: "lmao no perms" }, status: :unauthorized
+              false
+            else
+              true
+            end
          else
            render json: { error: "lmao no perms" }, status: :unauthorized
          end