From 30fae208c2af7c2d7c929bc5fa6c4ee761d2559d Mon Sep 17 00:00:00 2001
From: CorrectRoadH <a778917369@gmail.com>
Date: Sat, 1 Jul 2023 12:04:49 +0800
Subject: [PATCH] fix: pin memos of other people (#1870)

---
 server/memo.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/server/memo.go b/server/memo.go
index 3477ef85..d42f919c 100644
--- a/server/memo.go
+++ b/server/memo.go
@@ -368,6 +368,17 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
+
+		memo, err := s.Store.GetMemo(ctx, &store.FindMemoMessage{
+			ID: &memoID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
+		}
+		if memo.CreatorID != userID {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+		}
+
 		memoOrganizerUpsert := &api.MemoOrganizerUpsert{}
 		if err := json.NewDecoder(c.Request().Body).Decode(memoOrganizerUpsert); err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo organizer request").SetInternal(err)