feat: only allow deleting threads of current user

backend/internal/app/logic.go

@@ -16,6 +16,6 @@ type Logic interface {
 
 	AddThread(thread *models.Thread, user *models.User) error
 	UpdateThread(thread *models.Thread, user *models.User) error
-	DeleteThread(id uuid.UUID) error
+	DeleteThread(id uuid.UUID, user *models.User) error
 	GetThreads(user *models.User) ([]models.Thread, error)
 }

backend/internal/logic/thread.go

@@ -46,7 +46,15 @@ func (l *Logic) UpdateThread(thread *models.Thread, user *models.User) error {
 	return err
 }
 
-func (l *Logic) DeleteThread(id uuid.UUID) error {
+func (l *Logic) DeleteThread(id uuid.UUID, user *models.User) error {
+	t, err := l.ctx.Data.GetThread(id, user)
+	if err != nil {
+		return ErrNotFound
+	}
+	if t.Account.UserID != user.ID {
+		// invalid user
+		return ErrNotFound
+	}
 	return l.ctx.Data.DeleteThread(id)
 }
 

backend/internal/presentation/thread.go

@@ -61,7 +61,7 @@ func DeleteThread(ctx *web.Context) {
 		return
 	}
 
-	err = ctx.AppCtx.Logic.DeleteThread(id)
+	err = ctx.AppCtx.Logic.DeleteThread(id, ctx.Session.User)
 	if err != nil {
 		ErrorResponse(ctx, err)
 		return