fix: pin memos of other people (#1870)

30fae208 · CorrectRoadH · GitHub · 5fe644a3 · 30fae208
Unverified Commit 30fae208 authored Jul 01, 2023 by CorrectRoadH Committed by GitHub Jul 01, 2023
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

memo.go server/memo.go +11 -0

No files found.
--- a/server/memo.go
+++ b/server/memo.go
@@ -368,6 +368,17 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
+		memo, err := s.Store.GetMemo(ctx, &store.FindMemoMessage{
+			ID: &memoID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
+		}
+		if memo.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
 		memoOrganizerUpsert := &api.MemoOrganizerUpsert{}
 		if err := json.NewDecoder(c.Request().Body).Decode(memoOrganizerUpsert); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo organizer request").SetInternal(err)