From 7d2facedf311f14a6dfe432ec8639d0d6a8684bf Mon Sep 17 00:00:00 2001
From: Tony Yang <t510599@gmail.com>
Date: Tue, 15 Apr 2025 10:50:42 +0800
Subject: [PATCH] fix: message deletion permission check

---
 functions/api/messages.js | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/functions/api/messages.js b/functions/api/messages.js
index 4c53e44..ab349b9 100644
--- a/functions/api/messages.js
+++ b/functions/api/messages.js
@@ -71,6 +71,18 @@ export async function onRequestDelete(context) {
       });
     }
 
+    // Check if the message exists
+    const { results } = await env.DB.prepare("SELECT * FROM messages WHERE id = ?").bind(messageId).all();
+    if (results.length === 0) {
+      return createErrorResponse("Message not found", 404);
+    }
+
+    // Check if the user is the owner of the message
+    const message = results[0];
+    if (message.userId !== context.user.userId) {
+      return createErrorResponse("Unauthorized", 403);
+    }
+
     // Delete the message from D1
     await env.DB.prepare("DELETE FROM messages WHERE id = ?").bind(messageId).run();