From 36615ef656055aeae3466b36440cdd97740d06ef Mon Sep 17 00:00:00 2001
From: rubenwardy <rw@rubenwardy.com>
Date: Sat, 25 Jan 2020 18:26:55 +0000
Subject: [PATCH] Fix access token being exposed after APIToken edit

---
 app/blueprints/api/tokens.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/app/blueprints/api/tokens.py b/app/blueprints/api/tokens.py
index b8da78d..8eb2a67 100644
--- a/app/blueprints/api/tokens.py
+++ b/app/blueprints/api/tokens.py
@@ -80,14 +80,13 @@ def create_edit_token(username, id=None):
 			token.owner = user
 			token.access_token = randomString(32)
 
+			# Store token so it can be shown in the edit page
+			session["token_" + str(token.id)] = token.access_token
+
 		form.populate_obj(token)
 		db.session.add(token)
-
 		db.session.commit() # save
 
-		# Store token so it can be shown in the edit page
-		session["token_" + str(token.id)] = token.access_token
-
 		return redirect(url_for("api.create_edit_token", username=username, id=token.id))
 
 	return render_template("api/create_edit_token.html", user=user, form=form, token=token, access_token=access_token)