Oops, fix a security error in outfit saving

Uhhh I guess I never added the check that the outfit you're editing is your own? Embarrassing.

I don't have any reason to believe anyone abused this, but 😬! Good to have fixed now!

src/server/types/Outfit.js

@@ -147,6 +147,7 @@ const resolvers = {
       {
         currentUserId,
         db,
+        outfitLoader,
         petTypeBySpeciesAndColorLoader,
         petStatesForPetTypeLoader,
       }
@@ -157,6 +158,18 @@ const resolvers = {
         );
       }
 
+      if (id) {
+        const outfit = await outfitLoader.load(id);
+        if (outfit == null) {
+          throw new Error(`outfit ${outfit.id} does not exist`);
+        }
+        if (outfit.userId !== currentUserId) {
+          throw new Error(
+            `user ${currentUserId} does not own outfit ${outfit.id}`
+          );
+        }
+      }
+
       // Get the base name of the provided name: trim it, and strip any "(1)"
       // suffixes.
       const baseName = (rawName || "Untitled outfit").replace(