Spaces:
Running
Running
Update app.js
Browse files
app.js
CHANGED
|
@@ -305,13 +305,17 @@ app.post('/new/project', validateRequest, async (req, res) => {
|
|
| 305 |
});
|
| 306 |
|
| 307 |
app.post('/project/feedback', async (req, res) => {
|
| 308 |
-
const { projectId, prompt, hierarchyContext, scriptContext, logContext, taskComplete, images } = req.body;
|
| 309 |
|
| 310 |
// This now handles Hydration automatically
|
| 311 |
const project = await StateManager.getProject(projectId);
|
| 312 |
|
| 313 |
if (!project) return res.status(404).json({ error: "Project not found." });
|
| 314 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 315 |
await db.ref(`projects/${projectId}/info/status`).set("working");
|
| 316 |
|
| 317 |
if (taskComplete) {
|
|
|
|
| 305 |
});
|
| 306 |
|
| 307 |
app.post('/project/feedback', async (req, res) => {
|
| 308 |
+
const { userId, projectId, prompt, hierarchyContext, scriptContext, logContext, taskComplete, images } = req.body;
|
| 309 |
|
| 310 |
// This now handles Hydration automatically
|
| 311 |
const project = await StateManager.getProject(projectId);
|
| 312 |
|
| 313 |
if (!project) return res.status(404).json({ error: "Project not found." });
|
| 314 |
|
| 315 |
+
if (project.userId !== userId) {
|
| 316 |
+
console.warn(`[Security] Unauthorized ping for ${projectId}. Owner: ${project.userId}, Request: ${userId}`);
|
| 317 |
+
return res.status(403).json({ error: "Unauthorized: You do not own this project." });
|
| 318 |
+
}
|
| 319 |
await db.ref(`projects/${projectId}/info/status`).set("working");
|
| 320 |
|
| 321 |
if (taskComplete) {
|