From 1b17422f1fd8af4e8b4f1d884cbd2ea80f184295 Mon Sep 17 00:00:00 2001
From: wajeht <58354193+wajeht@users.noreply.github.com>
Date: Sat, 7 Sep 2024 00:40:44 -0500
Subject: [PATCH] refactor(handler): Improve database query conditions for
 deletion operations

---
 src/handler.ts | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/handler.ts b/src/handler.ts
index 6def789..80fbdf0 100644
--- a/src/handler.ts
+++ b/src/handler.ts
@@ -412,7 +412,17 @@ export async function getAppEditPageHandler(req: Request, res: Response) {
 export async function postDeleteAppChannelHandler(req: Request, res: Response) {
 	const { aid, cid } = req.params;
 
-	await db('app_channels').where({ id: cid }).del();
+	await db('app_channels')
+		.where('app_channels.id', cid)
+		.andWhere(function () {
+			this.whereExists(function () {
+				this.select('apps.id')
+					.from('apps')
+					.where('apps.id', aid)
+					.andWhere('apps.user_id', req.session?.user?.id);
+			});
+		})
+		.delete();
 
 	return res.redirect(`/apps/${aid}/channels?toast=🗑️ deleted`);
 }
@@ -421,7 +431,17 @@ export async function postDeleteAppChannelHandler(req: Request, res: Response) {
 export async function postDeleteAppNotificationHandler(req: Request, res: Response) {
 	const { id, nid } = req.params;
 
-	await db('notifications').where({ id: nid }).del();
+	await db('notifications')
+		.where('notifications.id', nid)
+		.andWhere(function () {
+			this.whereExists(function () {
+				this.select('apps.id')
+					.from('apps')
+					.where('apps.id', id)
+					.andWhere('apps.user_id', req.session?.user?.id);
+			});
+		})
+		.delete();
 
 	req.flash('info', '🗑️ deleted');