api/graph: check tracker owner before starting import

We were checking the owner when updating the import_in_progress column, but we were starting off the import even if the tracker didn't exist or didn't belong to the user.
2023-08-18 08:14:30 +00:00 · 2023-08-18 08:14:30 +00:00 · eabf5f18d7
parent 046ae6de44
commit eabf5f18d7
1 changed files with 12 additions and 2 deletions
--- a/api/graph/schema.resolvers.go
+++ b/api/graph/schema.resolvers.go
@ -2050,12 +2050,22 @@ func (r *mutationResolver) ImportTrackerDump(ctx context.Context, trackerID int,
 		return false, err
 	}
 	if err := database.WithTx(ctx, nil, func(tx *sql.Tx) error {
-		_, err := tx.ExecContext(ctx, `
+		result, err := tx.ExecContext(ctx, `
 			UPDATE tracker
 			SET import_in_progress = true
 			WHERE id = $1 AND owner_id = $2
 		`, trackerID, auth.ForContext(ctx).UserID)
-		return err
+		if err != nil {
+			return err
+		}
+		n, err := result.RowsAffected()
+		if err != nil {
+			panic(err) // PostgreSQL should always support RowsAffected
+		}
+		if n != 1 {
+			return fmt.Errorf("Access denied")
+		}
+		return nil
 	}); err != nil {
 		return false, err
 	}