From 14cf21d1911d753f67f67cbfea131e1057040982 Mon Sep 17 00:00:00 2001
From: Florian Dewald <florian@dwald.de>
Date: Mon, 3 Nov 2025 09:22:24 +0000
Subject: [PATCH] Add owner check to reaction deletion

---
 server/router/api/v1/reaction_service.go | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/server/router/api/v1/reaction_service.go b/server/router/api/v1/reaction_service.go
index 7dd007d8f..93d328729 100644
--- a/server/router/api/v1/reaction_service.go
+++ b/server/router/api/v1/reaction_service.go
@@ -55,11 +55,32 @@ func (s *APIV1Service) UpsertMemoReaction(ctx context.Context, request *v1pb.Ups
 }
 
 func (s *APIV1Service) DeleteMemoReaction(ctx context.Context, request *v1pb.DeleteMemoReactionRequest) (*emptypb.Empty, error) {
+	user, err := s.GetCurrentUser(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
+
 	reactionID, err := ExtractReactionIDFromName(request.Name)
 	if err != nil {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid reaction name: %v", err)
 	}
 
+	// Check ownership of reaction
+	reactions, err := s.Store.ListReactions(ctx, &store.FindReaction{
+		ID: &reactionID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list reactions")
+	}
+	for _, reaction := range reactions {
+		if reaction.CreatorID != user.ID && !isSuperUser(user) {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+	}
+
 	if err := s.Store.DeleteReaction(ctx, &store.DeleteReaction{
 		ID: reactionID,
 	}); err != nil {