diff options
| author | nsfisis <nsfisis@gmail.com> | 2025-12-30 22:12:04 +0900 |
|---|---|---|
| committer | nsfisis <nsfisis@gmail.com> | 2025-12-30 22:12:04 +0900 |
| commit | 953e6aeca4a1cf5dcba2148ab638a357cd6e60a0 (patch) | |
| tree | 8bd3f373640eb18eb497d05caac958edce286d9e /docs | |
| parent | c2eb7513834eeb5adfa53fff897f585de87e4821 (diff) | |
| download | kioku-953e6aeca4a1cf5dcba2148ab638a357cd6e60a0.tar.gz kioku-953e6aeca4a1cf5dcba2148ab638a357cd6e60a0.tar.zst kioku-953e6aeca4a1cf5dcba2148ab638a357cd6e60a0.zip | |
fix(sync): verify card ownership before update in push
Previously, when updating an existing card during sync push, only the
target deck ownership was verified. This allowed a user who knew another
user's card ID to potentially update that card by specifying their own
deck. Now the query joins with decks table to verify the existing card
belongs to the current user.
🤖 Generated with [Claude Code](https://claude.ai/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/dev/roadmap.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/dev/roadmap.md b/docs/dev/roadmap.md index d877d78..ed45ea6 100644 --- a/docs/dev/roadmap.md +++ b/docs/dev/roadmap.md @@ -197,7 +197,7 @@ Smaller features first to enable early MVP validation. - [x] Configure CORS middleware ### Medium Priority -- [ ] Fix card update authorization in sync push (verify existing card ownership) +- [x] Fix card update authorization in sync push (verify existing card ownership) - [ ] Unify password length requirement (add-user.ts: 8 chars → 15 chars) ### Low Priority |