feat: prevent users from sharing projects and reviews with themselves

2026-06-28 21:49:37 +02:00 · 2026-05-16 00:05:16 +08:00 · 2026-05-16 00:05:16 +08:00 · 87e55d6046
commit 87e55d6046
parent 9e7046d4aa
4 changed files with 60 additions and 4 deletions
--- a/backend/src/routes/tabular.ts
+++ b/backend/src/routes/tabular.ts
@ -463,12 +463,18 @@ tabularRouter.patch("/:reviewId", requireAuth, async (req, res) => {
    // making the call. Normalize lowercase + dedupe + drop empties.
    let sharedWithUpdate: string[] | undefined;
    if (Array.isArray(req.body.shared_with)) {
+        const normalizedUserEmail = userEmail?.trim().toLowerCase();
        const seen = new Set<string>();
        const cleaned: string[] = [];
        for (const raw of req.body.shared_with) {
            if (typeof raw !== "string") continue;
            const e = raw.trim().toLowerCase();
            if (!e || seen.has(e)) continue;
+            if (normalizedUserEmail && e === normalizedUserEmail) {
+                return void res.status(400).json({
+                    detail: "You cannot share a tabular review with yourself.",
+                });
+            }
            seen.add(e);
            cleaned.push(e);
        }