art-dag/celery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove owner check from recipe deletion (security fix)

Browse Source 
Same reasoning as the list fix: the owner field from recipe content
could be spoofed. For L1, any authenticated user can delete recipes.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gilesb
2026-01-12 19:26:36 +00:00
parent c5c7e5e162
commit a5a718e387
1 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/services/recipe_service.py
View File

@@ -200,11 +200,9 @@ class RecipeService:
if not recipe: if not recipe:
return False, "Recipe not found" return False, "Recipe not found"
# Check ownership if actor_id provided # Note: We don't check ownership from recipe content as it could be spoofed.
if actor_id: # For L1, any authenticated user can delete recipes in the cache.
recipe_owner = recipe.get("owner") # (Ownership tracking should use naming service or cache metadata, not recipe content)
if recipe_owner and recipe_owner != actor_id:
return False, "Cannot delete: you don't own this recipe"
# Delete from cache # Delete from cache
try: try: