From 1086e9503661faf04e06d8d4fde0f5b89c77f43e Mon Sep 17 00:00:00 2001
From: Brent Schroeter <contact@brentsch.com>
Date: Thu, 11 Dec 2025 08:34:32 +0000
Subject: [PATCH] fix auth for update_field_handler

---
 .../relations_single/update_field_handler.rs  | 34 ++++++++++++++++---
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/phono-server/src/routes/relations_single/update_field_handler.rs b/phono-server/src/routes/relations_single/update_field_handler.rs
index c1b674a..ce47887 100644
--- a/phono-server/src/routes/relations_single/update_field_handler.rs
+++ b/phono-server/src/routes/relations_single/update_field_handler.rs
@@ -1,5 +1,13 @@
-use axum::{debug_handler, extract::Path, response::Response};
-use phono_models::{field::Field, presentation::Presentation};
+use axum::{
+    debug_handler,
+    extract::{Path, State},
+    response::Response,
+};
+use phono_models::{
+    accessors::{Accessor, Actor, portal::PortalAccessor},
+    field::Field,
+    presentation::Presentation,
+};
 use serde::Deserialize;
 use sqlx::postgres::types::Oid;
 use uuid::Uuid;
@@ -12,6 +20,7 @@ use crate::{
     navigator::{Navigator, NavigatorPage},
     presentation_form::PresentationForm,
     user::CurrentUser,
+    workspace_pooler::WorkspacePooler,
 };
 
 #[derive(Debug, Deserialize)]
@@ -59,8 +68,9 @@ impl From<FormBody> for PresentationForm {
 /// [`PathParams`].
 #[debug_handler(state = App)]
 pub(super) async fn post(
+    State(mut pooler): State<WorkspacePooler>,
     AppDbConn(mut app_db): AppDbConn,
-    CurrentUser(_user): CurrentUser,
+    CurrentUser(user): CurrentUser,
     navigator: Navigator,
     Path(PathParams {
         portal_id,
@@ -71,8 +81,22 @@ pub(super) async fn post(
 ) -> Result<Response, AppError> {
     // FIXME CSRF
 
-    // FIXME ensure workspace corresponds to rel/portal, and that user has
-    // permission to access/alter both as needed.
+    let mut workspace_client = pooler
+        .acquire_for(
+            workspace_id,
+            crate::workspace_pooler::RoleAssignment::User(user.id),
+        )
+        .await?;
+    PortalAccessor::new()
+        .id(portal_id)
+        .as_actor(Actor::User(user.id))
+        .verify_rel_oid(Oid(rel_oid))
+        .verify_workspace_id(workspace_id)
+        .verify_rel_ownership()
+        .using_workspace_client(&mut workspace_client)
+        .using_app_db(&mut app_db)
+        .fetch_one()
+        .await?;
 
     // Ensure field exists and belongs to portal.
     Field::belonging_to_portal(portal_id)