From c1b582e91b429bc7d5ad02e6c22f98234ec67615 Mon Sep 17 00:00:00 2001
From: yashsinghcodes <yash9vardhan@gmail.com>
Date: Fri, 26 Jun 2026 16:46:54 +0530
Subject: [PATCH] fix: user api key generation logic

---
 shared.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/shared.go b/shared.go
index c285c97b..18c7e193 100644
--- a/shared.go
+++ b/shared.go
@@ -9969,6 +9969,13 @@ func HandleApiGeneration(resp http.ResponseWriter, request *http.Request) {
 			return
 		}
 
+		if foundUser.Id != userInfo.Id {
+			log.Printf("[AUDIT] %s tried and failed to change apikey for %s (1)", userInfo.Username, t.UserId)
+			resp.WriteHeader(401)
+			resp.Write([]byte(fmt.Sprintf(`{"success": false, "reason": "Can't change the apikey of another user"}`)))
+			return
+		}
+
 		// FIXME: May not be good due to different roles in different organizations.
 		if foundUser.Role == "admin" {
 			log.Printf("[AUDIT] %s tried and failed to change apikey for %s. Skipping because users' role is admin", userInfo.Username, t.UserId)