From 5dfd67a221f844fcb525bd76f426cc4046ae6e4b Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@gmail.com>
Date: Mon, 15 Aug 2022 19:51:31 -0700
Subject: [PATCH] Oops, fix a security error in outfit saving
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Uhhh I guess I never added the check that the outfit you're editing is your own? Embarrassing.

I don't have any reason to believe anyone abused this, but 😬! Good to have fixed now!
---
 src/server/types/Outfit.js | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/server/types/Outfit.js b/src/server/types/Outfit.js
index 8af067c..8533892 100644
--- a/src/server/types/Outfit.js
+++ b/src/server/types/Outfit.js
@@ -147,6 +147,7 @@ const resolvers = {
       {
         currentUserId,
         db,
+        outfitLoader,
         petTypeBySpeciesAndColorLoader,
         petStatesForPetTypeLoader,
       }
@@ -157,6 +158,18 @@ const resolvers = {
         );
       }
 
+      if (id) {
+        const outfit = await outfitLoader.load(id);
+        if (outfit == null) {
+          throw new Error(`outfit ${outfit.id} does not exist`);
+        }
+        if (outfit.userId !== currentUserId) {
+          throw new Error(
+            `user ${currentUserId} does not own outfit ${outfit.id}`
+          );
+        }
+      }
+
       // Get the base name of the provided name: trim it, and strip any "(1)"
       // suffixes.
       const baseName = (rawName || "Untitled outfit").replace(