From 32439ca2f08514c54f00b5c5136add45d62e9b21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <f@miniflux.net>
Date: Fri, 7 May 2021 16:25:44 -0700
Subject: [PATCH] Security fix: any user can delete any feed

Regression introduced in commit 51fb949.
---
 storage/feed.go   | 2 +-
 ui/feed_remove.go | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/storage/feed.go b/storage/feed.go
index b3126ab8..5b571054 100644
--- a/storage/feed.go
+++ b/storage/feed.go
@@ -381,7 +381,7 @@ func (s *Storage) RemoveFeed(userID, feedID int64) error {
 		}
 	}
 
-	if _, err := s.db.Exec(`DELETE FROM feeds WHERE id=$1`, feedID); err != nil {
+	if _, err := s.db.Exec(`DELETE FROM feeds WHERE id=$1 AND user_id=$2`, feedID, userID); err != nil {
 		return fmt.Errorf(`store: unable to delete feed #%d: %v`, feedID, err)
 	}
 
diff --git a/ui/feed_remove.go b/ui/feed_remove.go
index c70d77a2..15d997d2 100644
--- a/ui/feed_remove.go
+++ b/ui/feed_remove.go
@@ -14,6 +14,12 @@ import (
 
 func (h *handler) removeFeed(w http.ResponseWriter, r *http.Request) {
 	feedID := request.RouteInt64Param(r, "feedID")
+
+	if !h.store.FeedExists(request.UserID(r), feedID) {
+		html.NotFound(w, r)
+		return
+	}
+
 	if err := h.store.RemoveFeed(request.UserID(r), feedID); err != nil {
 		html.ServerError(w, r, err)
 		return