api/graph: check tracker owner before starting import
We were checking the owner when updating the import_in_progress column, but we were starting off the import even if the tracker didn't exist or didn't belong to the user.
This commit is contained in:
parent
046ae6de44
commit
eabf5f18d7
|
@ -2050,12 +2050,22 @@ func (r *mutationResolver) ImportTrackerDump(ctx context.Context, trackerID int,
|
|||
return false, err
|
||||
}
|
||||
if err := database.WithTx(ctx, nil, func(tx *sql.Tx) error {
|
||||
_, err := tx.ExecContext(ctx, `
|
||||
result, err := tx.ExecContext(ctx, `
|
||||
UPDATE tracker
|
||||
SET import_in_progress = true
|
||||
WHERE id = $1 AND owner_id = $2
|
||||
`, trackerID, auth.ForContext(ctx).UserID)
|
||||
return err
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
n, err := result.RowsAffected()
|
||||
if err != nil {
|
||||
panic(err) // PostgreSQL should always support RowsAffected
|
||||
}
|
||||
if n != 1 {
|
||||
return fmt.Errorf("Access denied")
|
||||
}
|
||||
return nil
|
||||
}); err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue