From 0f930df9ebfce28d4fcf95c9ce77fd9fd76b7254 Mon Sep 17 00:00:00 2001
From: fabiante <fabiante@users.noreply.github.com>
Date: Sun, 24 Sep 2023 12:23:37 +0200
Subject: [PATCH] Add domain ownership test to PURL save endpoint

---
 api/err.go          | 7 +++++++
 api/server_admin.go | 7 ++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/api/err.go b/api/err.go
index d378f1a..52cbd5f 100644
--- a/api/err.go
+++ b/api/err.go
@@ -1,10 +1,17 @@
 package api
 
 import (
+	"errors"
+
 	"github.com/fabiante/persurl/api/res"
 	"github.com/gin-gonic/gin"
 )
 
+var (
+	ErrForbidden = errors.New("you are not allowed to do this")
+)
+
+// respondWithError responds with an error and aborts the request.
 func respondWithError(ctx *gin.Context, status int, err error) {
 	response := res.ErrorList{
 		Errors: []res.Error{
diff --git a/api/server_admin.go b/api/server_admin.go
index cdb6240..d577373 100644
--- a/api/server_admin.go
+++ b/api/server_admin.go
@@ -30,7 +30,12 @@ func (s *Server) SavePURL(ctx *gin.Context) {
 		return
 	}
 
-	// todo: check user authorization on this url
+	// check authorization
+	user := getAuthenticatedUser(ctx)
+	if domain.OwnerID != user.ID {
+		respondWithError(ctx, http.StatusForbidden, ErrForbidden)
+		return
+	}
 
 	err = s.admin.SavePURL(domain, name, req.Target)
 	switch {