Remove owner check from recipe deletion (security fix)

Same reasoning as the list fix: the owner field from recipe content could be spoofed. For L1, any authenticated user can delete recipes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-12 19:26:36 +00:00
parent c5c7e5e162
commit a5a718e387
1 changed files with 3 additions and 5 deletions
--- a/app/services/recipe_service.py
+++ b/app/services/recipe_service.py
@@ -200,11 +200,9 @@ class RecipeService:
        if not recipe:
            return False, "Recipe not found"

-        # Check ownership if actor_id provided
-        if actor_id:
-            recipe_owner = recipe.get("owner")
-            if recipe_owner and recipe_owner != actor_id:
-                return False, "Cannot delete: you don't own this recipe"
+        # Note: We don't check ownership from recipe content as it could be spoofed.
+        # For L1, any authenticated user can delete recipes in the cache.
+        # (Ownership tracking should use naming service or cache metadata, not recipe content)

        # Delete from cache
        try: