From 9bd57109333274928ed6056316fbe2cd0d9588ff Mon Sep 17 00:00:00 2001
From: elweyn <heine.hannes@gmail.com>
Date: Tue, 5 Jul 2022 09:37:41 +0200
Subject: [PATCH] Add check if user is owner of the contribution before
 deleting.

---
 backend/src/graphql/resolver/ContributionResolver.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/backend/src/graphql/resolver/ContributionResolver.ts b/backend/src/graphql/resolver/ContributionResolver.ts
index e75471c08..bdd8e74a4 100644
--- a/backend/src/graphql/resolver/ContributionResolver.ts
+++ b/backend/src/graphql/resolver/ContributionResolver.ts
@@ -35,11 +35,18 @@ export class ContributionResolver {
 
   @Authorized([RIGHTS.DELETE_CONTRIBUTION])
   @Mutation(() => Boolean)
-  async adminDeleteContribution(@Arg('id', () => Int) id: number): Promise<boolean> {
+  async adminDeleteContribution(
+    @Arg('id', () => Int) id: number,
+    @Ctx() context: Context,
+  ): Promise<boolean> {
+    const user = getUser(context)
     const contribution = await Contribution.findOne(id)
     if (!contribution) {
       throw new Error('Contribution not found for given id.')
     }
+    if (contribution.userId !== user.id) {
+      throw new Error('Can not delete contribution of another user')
+    }
     const res = await contribution.softRemove()
     return !!res
   }