From 16c8a8cbcfdab57398e3d388acecd60c11cc4797 Mon Sep 17 00:00:00 2001
From: Florian Dewald <florian@dwald.de>
Date: Mon, 3 Nov 2025 09:46:23 +0000
Subject: [PATCH] Add owner checks to setting memo relations

---
 server/router/api/v1/memo_relation_service.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/server/router/api/v1/memo_relation_service.go b/server/router/api/v1/memo_relation_service.go
index 247f85ac8..77cff1a38 100644
--- a/server/router/api/v1/memo_relation_service.go
+++ b/server/router/api/v1/memo_relation_service.go
@@ -14,6 +14,13 @@ import (
 )
 
 func (s *APIV1Service) SetMemoRelations(ctx context.Context, request *v1pb.SetMemoRelationsRequest) (*emptypb.Empty, error) {
+	user, err := s.GetCurrentUser(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
 	memoUID, err := ExtractMemoUIDFromName(request.Name)
 	if err != nil {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid memo name: %v", err)
@@ -22,6 +29,9 @@ func (s *APIV1Service) SetMemoRelations(ctx context.Context, request *v1pb.SetMe
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get memo")
 	}
+	if memo.CreatorID != user.ID && !isSuperUser(user) {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
 	referenceType := store.MemoRelationReference
 	// Delete all reference relations first.
 	if err := s.Store.DeleteMemoRelation(ctx, &store.DeleteMemoRelation{