From e3666cfb4b2b78c7d6d293240dd175a4c74c1b40 Mon Sep 17 00:00:00 2001
From: fipwmaqzufheoxq92ebc
 <29818044+fipwmaqzufheoxq92ebc@users.noreply.github.com>
Date: Wed, 2 Sep 2020 11:28:49 +0200
Subject: [PATCH] Allow only admin users to create custom API-Keys

---
 controllers/GenericEntityApiController.php | 11 +++++++++++
 grocy.openapi.json                         |  6 ++++++
 2 files changed, 17 insertions(+)

diff --git a/controllers/GenericEntityApiController.php b/controllers/GenericEntityApiController.php
index f3b72afa..d2733275 100644
--- a/controllers/GenericEntityApiController.php
+++ b/controllers/GenericEntityApiController.php
@@ -13,6 +13,9 @@ class GenericEntityApiController extends BaseApiController
 
 		if ($this->IsValidEntity($args['entity']))
 		{
+			if($this->IsEntityWithEditRequiresAdmin($args['entity']))
+				User::checkPermission($request, User::PERMISSION_ADMIN);
+
 			$requestBody = $request->getParsedBody();
 
 			try
@@ -49,6 +52,8 @@ class GenericEntityApiController extends BaseApiController
 
 		if ($this->IsValidEntity($args['entity']))
 		{
+			if($this->IsEntityWithEditRequiresAdmin($args['entity']))
+				User::checkPermission($request, User::PERMISSION_ADMIN);
 			$row = $this->getDatabase()->{$args['entity']}
 			($args['objectId']);
 			$row->delete();
@@ -68,6 +73,8 @@ class GenericEntityApiController extends BaseApiController
 
 		if ($this->IsValidEntity($args['entity']))
 		{
+			if($this->IsEntityWithEditRequiresAdmin($args['entity']))
+				User::checkPermission($request, User::PERMISSION_ADMIN);
 			$requestBody = $request->getParsedBody();
 
 			try
@@ -223,6 +230,10 @@ class GenericEntityApiController extends BaseApiController
 	{
 		parent::__construct($container);
 	}
+	private function IsEntityWithEditRequiresAdmin($entity)
+	{
+		return !in_array($entity, $this->getOpenApiSpec()->components->internalSchemas->EntityEditRequiresAdmin->enum);
+	}
 
 	private function IsEntityWithPreventedListing($entity)
 	{
diff --git a/grocy.openapi.json b/grocy.openapi.json
index b8d587b1..b569a82a 100644
--- a/grocy.openapi.json
+++ b/grocy.openapi.json
@@ -3483,6 +3483,12 @@
 					"meal_plan"
 				]
 			},
+			"EntityEditRequiresAdmin": {
+				"type": "string",
+				"enum": [
+					"api_keys"
+				]
+			},
 			"StockTransactionType": {
 				"type": "string",
 				"enum": [