From 48c7beb54e2adbec251d8593e644c9aed190c1c3 Mon Sep 17 00:00:00 2001
From: Karina Kwiatek <kjk@kjk.dog>
Date: Sun, 1 Jan 2023 22:07:02 +0100
Subject: [PATCH] Only allow checking of own subscriptions

---
 app/controllers/ajax/web_push_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/ajax/web_push_controller.rb b/app/controllers/ajax/web_push_controller.rb
index d6ef3032..e9723c54 100644
--- a/app/controllers/ajax/web_push_controller.rb
+++ b/app/controllers/ajax/web_push_controller.rb
@@ -14,7 +14,7 @@ class Ajax::WebPushController < AjaxController
   def check
     params.permit(:endpoint)
 
-    found = WebPushSubscription.where("subscription ->> 'endpoint' = ?", params[:endpoint]).first
+    found = current_user.web_push_subscriptions.where("subscription ->> 'endpoint' = ?", params[:endpoint]).first
 
     @response[:status] = if found
                            if found.failures >= 3