🔒️ Fix delete_pin security

1 month ago · 3a493d7383
parent 9292e7fd92
commit 3a493d7383
1 changed files with 9 additions and 4 deletions
--- a/app/routes/pins.py
+++ b/app/routes/pins.py
@ -78,11 +78,16 @@ async def list_pins(current_user: User = Depends(get_current_user)):
 )
 async def delete_pin(id: str, current_user: User = Depends(get_current_user)):
    try:
-        result = pins_collection.delete_one({"_id": ObjectId(id)})
+        pin = pins_collection.find_one({"_id": ObjectId(id)})
    except bson.errors.InvalidId:
        objectid_misformatted()

-    if result.deleted_count == 0:
+    if pin is None:
        raise HTTPException(status_code=404, detail="Pin not found")
-    
-    return {"message": "Pin deleted"}
+
+    if pin.get("user_id") != current_user.uid:
+        raise HTTPException(status_code=403, detail="You are not allowed to delete this pin")
+
+    pins_collection.delete_one({"_id": ObjectId(id)})
+
+    return {"message": "Pin deleted"}