From eccbc3c3d66bfe4692083ca236dec316bdfa6f26 Mon Sep 17 00:00:00 2001
From: JMARyA <jmarya@hydrar.de>
Date: Thu, 9 Jan 2025 14:34:01 +0100
Subject: [PATCH] fix: limit end_session to the users own sessions

---
 src/auth/session.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/auth/session.rs b/src/auth/session.rs
index 1c7068b..3b944c5 100644
--- a/src/auth/session.rs
+++ b/src/auth/session.rs
@@ -61,8 +61,9 @@ impl Sessions for User {
 
     /// End a user session
     async fn end_session(&self, id: &str) {
-        sqlx::query("DELETE FROM user_session WHERE id = $1")
+        sqlx::query("DELETE FROM user_session WHERE id = $1 AND \"user\" = $2")
             .bind(id)
+            .bind(&self.username)
             .execute(get_pg!())
             .await
             .unwrap();