fix: add user_id ownership check to update_source_rss

Adds `AND user_id = $4` to the UPDATE query in `update_source_rss` and threads the `user_id` parameter through from `run_generation_inner`, consistent with every other mutation in db/sources.rs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2 months ago · 7d3dfa37a9
parent 7e1ab0996b
commit 7d3dfa37a9
2 changed files with 5 additions and 1 deletions
--- a/backend/src/db/sources.rs
+++ b/backend/src/db/sources.rs
@ -176,18 +176,21 @@ pub async fn update_preferred(
 ///
 /// Called during synthesis generation when a feed is discovered or re-verified.
 /// Pass `rss_url = None` to clear a previously cached feed (e.g., feed no longer exists).
+/// Only updates the source if it belongs to the given user (ownership check).
 pub async fn update_source_rss(
    pool: &PgPool,
    source_id: Uuid,
+    user_id: Uuid,
    rss_url: Option<&str>,
    rss_discovered_at: Option<DateTime<Utc>>,
 ) -> Result<(), AppError> {
    sqlx::query(
-        "UPDATE sources SET rss_url = $1, rss_discovered_at = $2 WHERE id = $3",
+        "UPDATE sources SET rss_url = $1, rss_discovered_at = $2 WHERE id = $3 AND user_id = $4",
    )
    .bind(rss_url)
    .bind(rss_discovered_at)
    .bind(source_id)
+    .bind(user_id)
    .execute(pool)
    .await?;

--- a/backend/src/services/synthesis/mod.rs
+++ b/backend/src/services/synthesis/mod.rs
@ -282,6 +282,7 @@ pub async fn run_generation_inner(
                db::sources::update_source_rss(
                    &state.pool,
                    source_id,
+                    user_id,
                    new_rss_url.as_deref(),
                    new_discovered_at,
                ).await.ok();