From 6f285c820892cb0158cd34fb88bf0b58001b975c Mon Sep 17 00:00:00 2001
From: MrMelon54 <github@mrmelon54.com>
Date: Wed, 8 Jan 2025 00:32:31 +0000
Subject: [PATCH] API: Prevent setEnabled when domain is not owned

---
 api/api.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/api.go b/api/api.go
index b3aaaa5..f5d5e71 100644
--- a/api/api.go
+++ b/api/api.go
@@ -34,6 +34,7 @@ func setEnabled(rw http.ResponseWriter, req *http.Request, params httprouter.Par
 
 	if !validateDomainOwnershipClaims(host, b.Claims.Perms) {
 		http.Error(rw, "Forbidden", http.StatusForbidden)
+		return
 	}
 
 	err := db.SetDomainBranchEnabled(req.Context(), database.SetDomainBranchEnabledParams{