From 21eec081ee148a5225489b72c6d69cb67b68aaa5 Mon Sep 17 00:00:00 2001
From: Huskydog9988 <39809509+Huskydog9988@users.noreply.github.com>
Date: Thu, 15 May 2025 18:28:08 -0400
Subject: [PATCH] fix: missing user check in screenshot api endpoint

---
 server/api/v1/screenshots/[id]/index.delete.ts | 13 ++++++++++++-
 server/api/v1/screenshots/[id]/index.get.ts    | 12 +++++++++++-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/server/api/v1/screenshots/[id]/index.delete.ts b/server/api/v1/screenshots/[id]/index.delete.ts
index 360dbf4..c09c332 100644
--- a/server/api/v1/screenshots/[id]/index.delete.ts
+++ b/server/api/v1/screenshots/[id]/index.delete.ts
@@ -13,5 +13,16 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Missing screenshot ID",
     });
 
-  return await screenshotManager.delete(screenshotId);
+  const result = await screenshotManager.get(screenshotId);
+  if (!result)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Incorrect screenshot ID",
+    });
+  else if (result.userId !== userId)
+    throw createError({
+      statusCode: 403,
+    });
+
+  await screenshotManager.delete(screenshotId);
 });
diff --git a/server/api/v1/screenshots/[id]/index.get.ts b/server/api/v1/screenshots/[id]/index.get.ts
index da84f6a..7864a1b 100644
--- a/server/api/v1/screenshots/[id]/index.get.ts
+++ b/server/api/v1/screenshots/[id]/index.get.ts
@@ -13,5 +13,15 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Missing screenshot ID",
     });
 
-  return await screenshotManager.get(screenshotId);
+  const result = await screenshotManager.get(screenshotId);
+  if (!result)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Incorrect screenshot ID",
+    });
+  else if (result.userId !== userId)
+    throw createError({
+      statusCode: 403,
+    });
+  return result;
 });