From 97f671f729a6ab67d2d645fa63c9c3bc5e8eaeb1 Mon Sep 17 00:00:00 2001
From: Sebastion <sebastion@sebastion.dev>
Date: Tue, 21 Apr 2026 01:01:53 +0100
Subject: [PATCH] fix: add ownership check to resume delete mutation (CWE-862)

---
 .../router/resumes/resumes-resume-user-router.ts      | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts b/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
index 5c19aa76..e8fe4a3b 100644
--- a/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
+++ b/apps/portal/src/server/router/resumes/resumes-resume-user-router.ts
@@ -441,8 +441,19 @@ export const resumesResumeUserRouter = createProtectedRouter()
       id: z.string(),
     }),
     async resolve({ ctx, input }) {
+      const userId = ctx.session.user.id;
       const { id } = input;
 
+      const resume = await ctx.prisma.resumesResume.findUnique({
+        where: {
+          id,
+        },
+      });
+
+      if (resume?.userId !== userId) {
+        throw new Error('Unauthorized: you can only delete your own resumes');
+      }
+
       return await ctx.prisma.resumesResume.delete({
         where: {
           id,