diff options
| author | MohamedBassem <me@mbassem.com> | 2024-03-21 00:19:19 +0000 |
|---|---|---|
| committer | MohamedBassem <me@mbassem.com> | 2024-03-21 00:19:19 +0000 |
| commit | ac898cd99f4483dd89eb90525f8be0552ad64c5e (patch) | |
| tree | 54b9839325fb1df38a351340255081d6245d5696 /packages | |
| parent | 3e07ccf8fd1eafbdf96056febdc85fa4d61a0842 (diff) | |
| download | karakeep-ac898cd99f4483dd89eb90525f8be0552ad64c5e.tar.zst | |
fix: Fix accessing tags by name failing privacy checks
Diffstat (limited to 'packages')
| -rw-r--r-- | packages/trpc/routers/tags.ts | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/packages/trpc/routers/tags.ts b/packages/trpc/routers/tags.ts index 61b052d9..211c3633 100644 --- a/packages/trpc/routers/tags.ts +++ b/packages/trpc/routers/tags.ts @@ -7,9 +7,16 @@ import { bookmarks, bookmarkTags, tagsOnBookmarks } from "@hoarder/db/schema"; import type { Context } from "../index"; import { authedProcedure, router } from "../index"; -function conditionFromInput(input: { tagName: string } | { tagId: string }) { +function conditionFromInput( + input: { tagName: string } | { tagId: string }, + userId: string, +) { if ("tagName" in input) { - return eq(bookmarkTags.name, input.tagName); + // Tag names are not unique, we must include userId in the condition + return and( + eq(bookmarkTags.name, input.tagName), + eq(bookmarkTags.userId, userId), + ); } else { return eq(bookmarkTags.id, input.tagId); } @@ -19,18 +26,19 @@ const ensureTagOwnership = experimental_trpcMiddleware<{ ctx: Context; input: { tagName: string } | { tagId: string }; }>().create(async (opts) => { - const tag = await opts.ctx.db.query.bookmarkTags.findFirst({ - where: conditionFromInput(opts.input), - columns: { - userId: true, - }, - }); if (!opts.ctx.user) { throw new TRPCError({ code: "UNAUTHORIZED", message: "User is not authorized", }); } + const tag = await opts.ctx.db.query.bookmarkTags.findFirst({ + where: conditionFromInput(opts.input, opts.ctx.user.id), + columns: { + userId: true, + }, + }); + if (!tag) { throw new TRPCError({ code: "NOT_FOUND", @@ -80,7 +88,7 @@ export const tagsAppRouter = router({ .leftJoin(bookmarks, eq(tagsOnBookmarks.bookmarkId, bookmarks.id)) .where( and( - conditionFromInput(input), + conditionFromInput(input, ctx.user.id), eq(bookmarkTags.userId, ctx.user.id), eq(bookmarks.archived, false), ), |