From 1aadcacf8bbe6e0fcd24e73d5e2a6883ce0616cc Mon Sep 17 00:00:00 2001
From: John Costa <johncosta027@gmail.com>
Date: Sun, 14 Sep 2025 19:09:28 +0100
Subject: [PATCH] protecting backend images

---
 backend/images/handler.go | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/backend/images/handler.go b/backend/images/handler.go
index 3c7893a..09c3123 100644
--- a/backend/images/handler.go
+++ b/backend/images/handler.go
@@ -37,12 +37,26 @@ type ImagesReturn struct {
 }
 
 func (h *ImageHandler) serveImage(w http.ResponseWriter, r *http.Request) {
-	imageId, err := middleware.GetPathParamID(h.logger, "id", w, r)
+	imageID, err := middleware.GetPathParamID(h.logger, "id", w, r)
 	if err != nil {
 		return
 	}
 
-	image, err := h.imageModel.Get(r.Context(), imageId)
+	ctx := r.Context()
+
+	userID, err := middleware.GetUserID(ctx, h.logger, w)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	isAuthorized := h.imageModel.IsUserAuthorized(ctx, imageID, userID)
+	if !isAuthorized {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	image, err := h.imageModel.Get(r.Context(), imageID)
 	if err != nil {
 		w.WriteHeader(http.StatusNotFound)
 		fmt.Fprintf(w, "Could not get image")