api: auth: The impersonation is tied to the key and not the user

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/dbl/api/__init__.py b/src/dbl/api/__init__.py
index 80d4799bcf071fe6b854672a773a74c7d1664e52..81596c525dca82f3f04e60edad63ee4e2f246ed5 100644 (file)
--- a/src/dbl/api/__init__.py
+++ b/src/dbl/api/__init__.py
@@ -74,7 +74,7 @@ async def require_api_key(request: fastapi.Request, api_key: str = fastapi.Depen
                log.debug("%s wants to impersonate '%s'" % (user.uid, impersonated_uid))
 
                # Check if we have permissions to perform this action
-               if not user.can_impersonate:
+               if not key.can_impersonate:
                        raise fastapi.HTTPException(403, "Impersonation denied")
 
                # Fetch the impersonated user