From d23d5d91e9352fc1a27b315381a0ee46cc6dfbfb Mon Sep 17 00:00:00 2001
From: Joydip <joydip.insight@gmail.com>
Date: Mon, 1 Jun 2026 21:00:38 +0530
Subject: [PATCH] security: fix broken access control in question endpoints

---
 backend/controllers/questionController.js | 30 +++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/backend/controllers/questionController.js b/backend/controllers/questionController.js
index 3dca6b8..6b83273 100644
--- a/backend/controllers/questionController.js
+++ b/backend/controllers/questionController.js
@@ -68,6 +68,21 @@ const togglePinQuestion = async (req, res) => {
         .status(404)
         .json({ success: false, message: "Question not found" });
     }
+
+    const session = await Session.findById(question.session);
+    if (!session) {
+      return res
+        .status(404)
+        .json({ success: false, message: "Session not found" });
+    }
+
+    if (session.user.toString() !== req.user.id) {
+      return res.status(403).json({
+        success: false,
+        message: "Unauthorized access",
+      });
+    }
+
     question.isPinned = !question.isPinned;
     await question.save();
 
@@ -104,6 +119,21 @@ const updateQuestionNote = async (req, res) => {
         .status(404)
         .json({ success: false, message: "Question not found" });
     }
+
+    const session = await Session.findById(question.session);
+    if (!session) {
+      return res
+        .status(404)
+        .json({ success: false, message: "Session not found" });
+    }
+
+    if (session.user.toString() !== req.user.id) {
+      return res.status(403).json({
+        success: false,
+        message: "Unauthorized access",
+      });
+    }
+
     question.note = note || "";
     await question.save();