fix: add ownership check to resume delete mutation (CWE-862)

3 weeks ago · 97f671f729
parent 8ee2acb54a
commit 97f671f729
1 changed files with 11 additions and 0 deletions
--- a/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
+++ b/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
@ -441,8 +441,19 @@ export const resumesResumeUserRouter = createProtectedRouter()
      id: z.string(),
    }),
    async resolve({ ctx, input }) {
+      const userId = ctx.session.user.id;
      const { id } = input;

+      const resume = await ctx.prisma.resumesResume.findUnique({
+        where: {
+          id,
+        },
+      });
+
+      if (resume?.userId !== userId) {
+        throw new Error('Unauthorized: you can only delete your own resumes');
+      }
+
      return await ctx.prisma.resumesResume.delete({
        where: {
          id,