fix: users cannot edit, delete, or restore other users' tags

src/db/doll.rs

@@ -112,7 +112,11 @@ pub async fn create(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Resul
 }
 
 /// editing a doll_profile will also unarchive it
-pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result<()> {
+pub async fn edit(
+	db: &mut DbHook,
+	bound_account_id: &Uuid,
+	doll: CreateDollProfile<'_>,
+) -> sqlx::Result<()> {
 	sqlx::query!(
 		r#"
 			update doll_profiles
@@ -132,7 +136,7 @@ pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result<
 			chassis_color = $14,
 			archived_at = null,
 			updated_at = current_timestamp
-			where id = $15
+			where id = $15 and bound_to_id = $16
 		"#,
 		doll.microchip_id,
 		doll.name,
@@ -149,6 +153,7 @@ pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result<
 		doll.chassis_id,
 		doll.chassis_color,
 		doll.id,
+		bound_account_id
 	)
 	.execute(&mut **db)
 	.await?;
@@ -164,7 +169,7 @@ pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result<
 /// the account holder to "re-create" one with this ID.
 ///
 /// A period of time after which deleted accounts will have their IDs freed is to be set.
-pub async fn delete(trx: &mut TrxHook<'_>, id: i32) -> sqlx::Result<()> {
+pub async fn delete(trx: &mut TrxHook<'_>, id: i32, bound_account_id: &Uuid) -> sqlx::Result<()> {
 	sqlx::query!(
 		r#"
 			update doll_profiles
@@ -184,9 +189,10 @@ pub async fn delete(trx: &mut TrxHook<'_>, id: i32) -> sqlx::Result<()> {
 			chassis_color = null,
 			updated_at = current_timestamp,
 			archived_at = current_timestamp
-			where id = $1
+			where id = $1 and bound_to_id = $2
 		"#,
-		id
+		id,
+		bound_account_id
 	)
 	.execute(&mut **trx)
 	.await?;
@@ -206,7 +212,7 @@ pub async fn delete_all_from_account(trx: &mut TrxHook<'_>, from: &Uuid) -> sqlx
 	.fetch_all(&mut **trx)
 	.await?;
 	for tag in tags {
-		delete(trx, tag.id).await?;
+		delete(trx, tag.id, from).await?;
 	}
 
 	// 2. unlink archived tags from the account

src/routes/account.rs

@@ -244,20 +244,24 @@ pub async fn export_data(
 pub async fn ask_delete(
 	mut db: DollTagsDb,
 	id: i32,
-	_user: User,
+	user: User,
 	meta: CommonTemplateState,
 ) -> PageResult {
 	let db_tag = doll::get(&mut *db, id, "", false).await?;
 
 	if let Some(tag) = db_tag {
-		Ok(Template::render(
-			"tag/delete",
-			context! {
-				meta,
-				tag,
-			},
-		)
-		.into())
+		if tag.bound_to_id != user.id {
+			Ok(Redirect::to(uri!("/account", index)).into())
+		} else {
+			Ok(Template::render(
+				"tag/delete",
+				context! {
+					meta,
+					tag,
+				},
+			)
+			.into())
+		}
 	} else {
 		Ok(Redirect::to(uri!("/account", index)).into())
 	}
@@ -271,7 +275,7 @@ pub async fn confirm_delete(
 	client_ip: IpAddr,
 ) -> PageResult {
 	let mut trx = db.begin().await?;
-	doll::delete(&mut trx, id).await?;
+	doll::delete(&mut trx, id, &user.id).await?;
 	trx.commit().await?;
 
 	warn!(

src/routes/form/register_tag.rs

@@ -80,7 +80,7 @@ impl From<DollProfile> for FakeContext {
 pub async fn show_edit_tag(
 	mut db: DollTagsDb,
 	id: &str,
-	_user: User,
+	user: User,
 	meta: CommonTemplateState,
 ) -> PageResult {
 	let normalized_id = match id_public_to_db(id) {
@@ -88,7 +88,13 @@ pub async fn show_edit_tag(
 		None => return Ok(Redirect::to(uri!("/account", account::index)).into()),
 	};
 	let tag = match doll::get(&mut *db, normalized_id, "", true).await? {
-		Some(v) => v,
+		Some(v) => {
+			if v.bound_to_id != user.id {
+				return Ok(Redirect::to(uri!("/account", account::index)).into());
+			}
+
+			v
+		}
 		None => return Ok(Redirect::to(uri!("/account", account::index)).into()),
 	};
 
@@ -290,6 +296,7 @@ pub async fn handle_edit_tag(
 
 	doll::edit(
 		&mut *db,
+		&user.id,
 		CreateDollProfile {
 			id,
 			microchip_id,