SECURITY: Correct permission check when revoking user API keys

app/controllers/user_api_keys_controller.rb

@@ -167,7 +167,7 @@ class UserApiKeysController < ApplicationController
 
   def find_key
     key = UserApiKey.find(params[:id])
-    raise Discourse::InvalidAccess unless current_user.admin || key.user_id = current_user.id
+    raise Discourse::InvalidAccess unless current_user.admin || key.user_id == current_user.id
     key
   end
 

spec/requests/user_api_keys_controller_spec.rb

@@ -133,6 +133,19 @@ describe UserApiKeysController do
       expect(key.revoked_at).not_to eq(nil)
     end
 
+    it "will not allow revoking another users key" do
+      key = Fabricate(:readonly_user_api_key)
+      acting_user = Fabricate(:user)
+      sign_in(acting_user)
+
+      post "/user-api-key/revoke.json",
+        params: { id: key.id }
+
+      expect(response.status).to eq(403)
+      key.reload
+      expect(key.revoked_at).to eq(nil)
+    end
+
     it "will not return p access if not yet configured" do
       SiteSetting.min_trust_level_for_user_api_key = 0
       SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]