From a5a718e3870e862cf7ef2e5d4f8ef6f8fbd9c3f7 Mon Sep 17 00:00:00 2001
From: gilesb <giles.bradshaw@sigyl.com>
Date: Mon, 12 Jan 2026 19:26:36 +0000
Subject: [PATCH] Remove owner check from recipe deletion (security fix)

Same reasoning as the list fix: the owner field from recipe content
could be spoofed. For L1, any authenticated user can delete recipes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 app/services/recipe_service.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/app/services/recipe_service.py b/app/services/recipe_service.py
index 1b13f4b..2ad7f37 100644
--- a/app/services/recipe_service.py
+++ b/app/services/recipe_service.py
@@ -200,11 +200,9 @@ class RecipeService:
         if not recipe:
             return False, "Recipe not found"
 
-        # Check ownership if actor_id provided
-        if actor_id:
-            recipe_owner = recipe.get("owner")
-            if recipe_owner and recipe_owner != actor_id:
-                return False, "Cannot delete: you don't own this recipe"
+        # Note: We don't check ownership from recipe content as it could be spoofed.
+        # For L1, any authenticated user can delete recipes in the cache.
+        # (Ownership tracking should use naming service or cache metadata, not recipe content)
 
         # Delete from cache
         try: