Security fix: any user can delete any feed

Regression introduced in commit 51fb949.
author: Frédéric Guillot <f@miniflux.net> 2021-05-07 16:25:44 -0700
committer: Frédéric Guillot <f@miniflux.net> 2021-05-07 16:25:44 -0700
commit: 32439ca2f08514c54f00b5c5136add45d62e9b21 (patch)
tree: 41fdabbde62f711044b49018cb9c810dcefc613e /storage/feed.go
parent: fa49bcaf8bf975a81926db322ee8ae46e7f82ec4 (diff)
download: v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.gz
v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.zst
v2-32439ca2f08514c54f00b5c5136add45d62e9b21.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/storage/feed.go b/storage/feed.go
index b3126ab8..5b571054 100644
--- a/storage/feed.go
+++ b/storage/feed.go
@@ -381,7 +381,7 @@ func (s *Storage) RemoveFeed(userID, feedID int64) error {
 		}
 	}
 
-	if _, err := s.db.Exec(`DELETE FROM feeds WHERE id=$1`, feedID); err != nil {
+	if _, err := s.db.Exec(`DELETE FROM feeds WHERE id=$1 AND user_id=$2`, feedID, userID); err != nil {
 		return fmt.Errorf(`store: unable to delete feed #%d: %v`, feedID, err)
 	}
author	Frédéric Guillot <f@miniflux.net>	2021-05-07 16:25:44 -0700
committer	Frédéric Guillot <f@miniflux.net>	2021-05-07 16:25:44 -0700
commit	32439ca2f08514c54f00b5c5136add45d62e9b21 (patch)
tree	41fdabbde62f711044b49018cb9c810dcefc613e /storage/feed.go
parent	fa49bcaf8bf975a81926db322ee8ae46e7f82ec4 (diff)
download	v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.gz v2-32439ca2f08514c54f00b5c5136add45d62e9b21.tar.zst v2-32439ca2f08514c54f00b5c5136add45d62e9b21.zip