From 7d3dfa37a966d09f2c54015c5b41f31fa3ce9c89 Mon Sep 17 00:00:00 2001 From: oabrivard Date: Fri, 3 Apr 2026 15:08:43 +0200 Subject: [PATCH] fix: add user_id ownership check to update_source_rss Adds `AND user_id = $4` to the UPDATE query in `update_source_rss` and threads the `user_id` parameter through from `run_generation_inner`, consistent with every other mutation in db/sources.rs. Co-Authored-By: Claude Sonnet 4.6 --- backend/src/db/sources.rs | 5 ++++- backend/src/services/synthesis/mod.rs | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/backend/src/db/sources.rs b/backend/src/db/sources.rs index aab1fbf..d04bae8 100644 --- a/backend/src/db/sources.rs +++ b/backend/src/db/sources.rs @@ -176,18 +176,21 @@ pub async fn update_preferred( /// /// Called during synthesis generation when a feed is discovered or re-verified. /// Pass `rss_url = None` to clear a previously cached feed (e.g., feed no longer exists). +/// Only updates the source if it belongs to the given user (ownership check). pub async fn update_source_rss( pool: &PgPool, source_id: Uuid, + user_id: Uuid, rss_url: Option<&str>, rss_discovered_at: Option>, ) -> Result<(), AppError> { sqlx::query( - "UPDATE sources SET rss_url = $1, rss_discovered_at = $2 WHERE id = $3", + "UPDATE sources SET rss_url = $1, rss_discovered_at = $2 WHERE id = $3 AND user_id = $4", ) .bind(rss_url) .bind(rss_discovered_at) .bind(source_id) + .bind(user_id) .execute(pool) .await?; diff --git a/backend/src/services/synthesis/mod.rs b/backend/src/services/synthesis/mod.rs index f4ac128..5cdc8ec 100644 --- a/backend/src/services/synthesis/mod.rs +++ b/backend/src/services/synthesis/mod.rs @@ -282,6 +282,7 @@ pub async fn run_generation_inner( db::sources::update_source_rss( &state.pool, source_id, + user_id, new_rss_url.as_deref(), new_discovered_at, ).await.ok();