From 3a493d7383fdc0ce0bb7388c1c6a026025cebdec Mon Sep 17 00:00:00 2001
From: Alexis Feron <alexisferon081@gmail.com>
Date: Sat, 3 May 2025 11:25:22 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Fix=20delete=5Fpin=20se?=
 =?UTF-8?q?curity?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/routes/pins.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/routes/pins.py b/app/routes/pins.py
index 94ba1b3..53ddecc 100644
--- a/app/routes/pins.py
+++ b/app/routes/pins.py
@@ -78,11 +78,16 @@ async def list_pins(current_user: User = Depends(get_current_user)):
 )
 async def delete_pin(id: str, current_user: User = Depends(get_current_user)):
     try:
-        result = pins_collection.delete_one({"_id": ObjectId(id)})
+        pin = pins_collection.find_one({"_id": ObjectId(id)})
     except bson.errors.InvalidId:
         objectid_misformatted()
 
-    if result.deleted_count == 0:
+    if pin is None:
         raise HTTPException(status_code=404, detail="Pin not found")
-    
-    return {"message": "Pin deleted"}
\ No newline at end of file
+
+    if pin.get("user_id") != current_user.uid:
+        raise HTTPException(status_code=403, detail="You are not allowed to delete this pin")
+
+    pins_collection.delete_one({"_id": ObjectId(id)})
+
+    return {"message": "Pin deleted"}