From 8f7d536f50bd12ed397d348bdc93841a074bd50e Mon Sep 17 00:00:00 2001
From: jvyden <jvyden@jvyden.xyz>
Date: Sun, 31 Oct 2021 19:06:58 -0400
Subject: [PATCH] Check if user owns level before unpublishing

---
 ProjectLighthouse/Controllers/PublishController.cs | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ProjectLighthouse/Controllers/PublishController.cs b/ProjectLighthouse/Controllers/PublishController.cs
index a19b7bb8..da4d9b0c 100644
--- a/ProjectLighthouse/Controllers/PublishController.cs
+++ b/ProjectLighthouse/Controllers/PublishController.cs
@@ -111,8 +111,13 @@ namespace LBPUnion.ProjectLighthouse.Controllers
         [HttpPost("unpublish/{id:int}")]
         public async Task<IActionResult> Unpublish(int id)
         {
+            User user = await this.database.UserFromRequest(this.Request);
+            if (user == null) return this.StatusCode(403, "");
+
             Slot slot = await this.database.Slots.Include(s => s.Location).FirstOrDefaultAsync(s => s.SlotId == id);
 
+            if (slot.CreatorId != user.UserId) return this.StatusCode(403, "");
+
             this.database.Locations.Remove(slot.Location);
             this.database.Slots.Remove(slot);