cesnimda/jobtrackingapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: enforce ownership checks for attachments and correspondence

Browse Source
This commit is contained in:
cesnimda
2026-03-22 14:00:24 +01:00
parent 0fa481cab6
commit a974e80ca4
2 changed files with 57 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
JobTrackerApi/Controllers/CorrespondenceController.cs
+10 -1
View File
@@ -16,6 +16,15 @@ namespace JobTrackerApi.Controllers
_db = db;
}
// Resolve correspondence through its parent job so the DbContext's user-scoped
// job filter still protects raw id endpoints in multi-user deployments.
private Task<Correspondence?> FindOwnedMessageAsync(int correspondenceId, CancellationToken cancellationToken)
{
return _db.Correspondences
.Include(c => c.JobApplication)
.FirstOrDefaultAsync(c => c.Id == correspondenceId, cancellationToken);
}
// GET all messages for a job
[HttpGet("{jobId:int}")]
public async Task<ActionResult<List<Correspondence>>> GetForJob([FromRoute] int jobId, CancellationToken cancellationToken)
@@ -72,7 +81,7 @@ namespace JobTrackerApi.Controllers
[HttpDelete("{id:int}")]
public async Task<IActionResult> Delete([FromRoute] int id, CancellationToken cancellationToken)
{
var message = await _db.Correspondences.FirstOrDefaultAsync(c => c.Id == id, cancellationToken);
var message = await FindOwnedMessageAsync(id, cancellationToken);
if (message is null) return NotFound();
_db.Correspondences.Remove(message);