aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/server/repositories/sync.ts
diff options
context:
space:
mode:
Diffstat (limited to 'src/server/repositories/sync.ts')
-rw-r--r--src/server/repositories/sync.ts9
1 files changed, 5 insertions, 4 deletions
diff --git a/src/server/repositories/sync.ts b/src/server/repositories/sync.ts
index a1b6648..3e9f8ed 100644
--- a/src/server/repositories/sync.ts
+++ b/src/server/repositories/sync.ts
@@ -171,18 +171,18 @@ export const syncRepository: SyncRepository = {
for (const cardData of data.cards) {
const clientUpdatedAt = new Date(cardData.updatedAt);
- // Verify deck belongs to user
+ // Verify target deck belongs to user
const deckCheck = await db
.select({ id: decks.id })
.from(decks)
.where(and(eq(decks.id, cardData.deckId), eq(decks.userId, userId)));
if (deckCheck.length === 0) {
- // Deck doesn't belong to user, skip
+ // Target deck doesn't belong to user, skip
continue;
}
- // Check if card exists
+ // Check if card exists AND belongs to user (via deck ownership)
const existing = await db
.select({
id: cards.id,
@@ -190,7 +190,8 @@ export const syncRepository: SyncRepository = {
syncVersion: cards.syncVersion,
})
.from(cards)
- .where(eq(cards.id, cardData.id));
+ .innerJoin(decks, eq(cards.deckId, decks.id))
+ .where(and(eq(cards.id, cardData.id), eq(decks.userId, userId)));
if (existing.length === 0) {
// New card - insert
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2026-01-15 23:01:58 +0000