From 4882bac13b657d25d0bbfb8cbc7307c8ea870ca7 Mon Sep 17 00:00:00 2001
From: Jonni Liljamo <jonni@liljamo.com>
Date: Thu, 26 Oct 2023 13:49:08 +0300
Subject: [PATCH] fix: a possible flaw to delete domains owned by others

---
 internal/db/domains.go       | 4 ++--
 internal/handlers/domains.go | 9 ++++++++-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/internal/db/domains.go b/internal/db/domains.go
index d81b3c3..287b62d 100644
--- a/internal/db/domains.go
+++ b/internal/db/domains.go
@@ -96,8 +96,8 @@ func CreateDomain(domain string, aRecord string, owner string) error {
 	return nil
 }
 
-func DeleteDomain(id string) error {
-	_, err := DBConn.Exec(`DELETE FROM domains WHERE id = $1`, id)
+func DeleteDomain(id string, user_id string) error {
+	_, err := DBConn.Exec(`DELETE FROM domains WHERE id = $1 AND owner = $2`, id, user_id)
 	if err != nil {
 		return err
 	}
diff --git a/internal/handlers/domains.go b/internal/handlers/domains.go
index 0242a48..795c868 100644
--- a/internal/handlers/domains.go
+++ b/internal/handlers/domains.go
@@ -75,7 +75,14 @@ func DeleteDomain() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		id := c.Param("id")
 
-		err := db.DeleteDomain(id)
+		userId, exists := c.Get("user_id")
+		if !exists {
+			c.String(http.StatusInternalServerError, "This should not be possible, but don't quote me on that")
+			c.Abort()
+			return
+		}
+
+		err := db.DeleteDomain(id, userId.(string))
 		if err != nil {
 			// FIXME: Handle better
 			c.String(http.StatusInternalServerError, "Something went wrong while deleting the domain")
-- 
2.44.1