Skip to content

fix(forum): add author ownership check to updateForum and deleteForum#270

Merged
omkarhole merged 1 commit into
omkarhole:mainfrom
anshul23102:fix/264-forum-ownership-check
Jun 2, 2026
Merged

fix(forum): add author ownership check to updateForum and deleteForum#270
omkarhole merged 1 commit into
omkarhole:mainfrom
anshul23102:fix/264-forum-ownership-check

Conversation

@anshul23102
Copy link
Copy Markdown
Contributor

@anshul23102 anshul23102 commented Jun 1, 2026

Summary

Closes #264

updateForum and deleteForum in backend/controllers/forum.controller.js verified only that the caller was authenticated but never checked whether the caller was the original author. Any logged-in user could modify or delete any other user's topic.

What Changed

backend/controllers/forum.controller.js only:

  • Both handlers now fetch the topic by ID first and compare topic.user against req.user.id.
  • A mismatch returns 403 Not authorised.
  • updateForum also restricts updatable fields to title and description, preventing the author field from being overwritten via the request body.

Testing

  1. Log in as User A. Try to update or delete a topic created by User B. Expect 403.
  2. Log in as the topic's original author. Update/delete succeeds.
  3. Verify a non-existent topic ID returns 404.

Type of Change

  • Bug fix (security)

NSoC '26 contribution

@anshul23102
fix(forum): add ownership check to updateForum and deleteForum
6d4187b 
Closes omkarhole#264

updateForum and deleteForum verified only that the caller was
authenticated but never checked authorship. Any logged-in user could
modify or delete any other user's forum topic by knowing its ID.

Both handlers now fetch the topic first and compare topic.user against
the verified req.user.id. A mismatch returns 403. The update path also
restricts which fields can be changed to title and description,
preventing the author field from being overwritten via req.body.
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 1, 2026

@anshul23102 is attempting to deploy a commit to the omkarhole's projects Team on Vercel.

A member of the Team first needs to authorize it.

@omkarhole omkarhole merged commit dfcb0f3 into omkarhole:main Jun 2, 2026
0 of 2 checks passed
@omkarhole omkarhole added NSOC'26 Issues for the NSOC 2026 program level2 5 points labels Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@anshul23102 anshul23102

Labels

level2 5 points NSOC'26 Issues for the NSOC 2026 program

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: updateForum and deleteForum have no ownership check, allowing any authenticated user to modify or delete any forum topic

2 participants

@anshul23102 @omkarhole