fix: missing user check in screenshot api endpoint

2025-11-10 04:22:09 +10:00 · 2025-05-15 18:28:08 -04:00
parent 4fbc730490
commit 21eec081ee
2 changed files with 23 additions and 2 deletions
--- a/server/api/v1/screenshots/[id]/index.delete.ts
+++ b/server/api/v1/screenshots/[id]/index.delete.ts
@ -13,5 +13,16 @@ export default defineEventHandler(async (h3) => {
      statusMessage: "Missing screenshot ID",
    });

-  return await screenshotManager.delete(screenshotId);
+  const result = await screenshotManager.get(screenshotId);
+  if (!result)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Incorrect screenshot ID",
+    });
+  else if (result.userId !== userId)
+    throw createError({
+      statusCode: 403,
+    });
+
+  await screenshotManager.delete(screenshotId);
 });
--- a/server/api/v1/screenshots/[id]/index.get.ts
+++ b/server/api/v1/screenshots/[id]/index.get.ts
@ -13,5 +13,15 @@ export default defineEventHandler(async (h3) => {
      statusMessage: "Missing screenshot ID",
    });

-  return await screenshotManager.get(screenshotId);
+  const result = await screenshotManager.get(screenshotId);
+  if (!result)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Incorrect screenshot ID",
+    });
+  else if (result.userId !== userId)
+    throw createError({
+      statusCode: 403,
+    });
+  return result;
 });