diff options
| -rw-r--r-- | packages/trpc/routers/tags.ts | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/packages/trpc/routers/tags.ts b/packages/trpc/routers/tags.ts index 61b052d9..211c3633 100644 --- a/packages/trpc/routers/tags.ts +++ b/packages/trpc/routers/tags.ts @@ -7,9 +7,16 @@ import { bookmarks, bookmarkTags, tagsOnBookmarks } from "@hoarder/db/schema"; import type { Context } from "../index"; import { authedProcedure, router } from "../index"; -function conditionFromInput(input: { tagName: string } | { tagId: string }) { +function conditionFromInput( + input: { tagName: string } | { tagId: string }, + userId: string, +) { if ("tagName" in input) { - return eq(bookmarkTags.name, input.tagName); + // Tag names are not unique, we must include userId in the condition + return and( + eq(bookmarkTags.name, input.tagName), + eq(bookmarkTags.userId, userId), + ); } else { return eq(bookmarkTags.id, input.tagId); } @@ -19,18 +26,19 @@ const ensureTagOwnership = experimental_trpcMiddleware<{ ctx: Context; input: { tagName: string } | { tagId: string }; }>().create(async (opts) => { - const tag = await opts.ctx.db.query.bookmarkTags.findFirst({ - where: conditionFromInput(opts.input), - columns: { - userId: true, - }, - }); if (!opts.ctx.user) { throw new TRPCError({ code: "UNAUTHORIZED", message: "User is not authorized", }); } + const tag = await opts.ctx.db.query.bookmarkTags.findFirst({ + where: conditionFromInput(opts.input, opts.ctx.user.id), + columns: { + userId: true, + }, + }); + if (!tag) { throw new TRPCError({ code: "NOT_FOUND", @@ -80,7 +88,7 @@ export const tagsAppRouter = router({ .leftJoin(bookmarks, eq(tagsOnBookmarks.bookmarkId, bookmarks.id)) .where( and( - conditionFromInput(input), + conditionFromInput(input, ctx.user.id), eq(bookmarkTags.userId, ctx.user.id), eq(bookmarks.archived, false), ), |