From 5be87e6796eecbe6df4a1615d5b4da3363aa99d9 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Sun, 12 Apr 2020 21:10:25 -0400
Subject: [PATCH] api: fix authentication for users other than me

Hah
---
 api/auth/auth.go              | 4 ++--
 api/graph/schema.resolvers.go | 2 +-
 api/loaders/middleware.go     | 9 +++++----
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/api/auth/auth.go b/api/auth/auth.go
index 8931770..b376e23 100644
--- a/api/auth/auth.go
+++ b/api/auth/auth.go
@@ -35,7 +35,7 @@ const (
 )
 
 type User struct {
-	Id               int
+	ID               int
 	Created          time.Time
 	Updated          time.Time
 	Username         string
@@ -130,7 +130,7 @@ Expected 'Authentication: Bearer <token>'`, http.StatusForbidden)
 				return
 			}
 			if err := rows.Scan(&expires, &scopes,
-				&user.Id, &user.Username,
+				&user.ID, &user.Username,
 				&user.Created, &user.Updated,
 				&user.Email,
 				&user.UserType,
diff --git a/api/graph/schema.resolvers.go b/api/graph/schema.resolvers.go
index 018bc31..a187a4a 100644
--- a/api/graph/schema.resolvers.go
+++ b/api/graph/schema.resolvers.go
@@ -57,7 +57,7 @@ func (r *queryResolver) Version(ctx context.Context) (*model.Version, error) {
 func (r *queryResolver) Me(ctx context.Context) (*model.User, error) {
 	user := auth.ForContext(ctx)
 	return &model.User{
-		ID:       user.Id,
+		ID:       user.ID,
 		Created:  user.Created,
 		Updated:  user.Updated,
 		Username: user.Username,
diff --git a/api/loaders/middleware.go b/api/loaders/middleware.go
index b6ca89e..70a8faf 100644
--- a/api/loaders/middleware.go
+++ b/api/loaders/middleware.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/lib/pq"
 
+	"git.sr.ht/~sircmpwn/git.sr.ht/api/auth"
 	"git.sr.ht/~sircmpwn/git.sr.ht/api/graph/model"
 )
 
@@ -73,11 +74,11 @@ func fetchRepositoriesByID(ctx context.Context,
 			FULL OUTER JOIN
 				access ON repo.id = access.repo_id
 			WHERE
-				repo.id = ANY($1)
-				AND (access.user_id = 1
-					OR repo.owner_id = 1
+				repo.id = ANY($2)
+				AND (access.user_id = $1
+					OR repo.owner_id = $1
 					OR repo.visibility != 'private')
-			`, pq.Array(ids)); err != nil {
+			`, auth.ForContext(ctx).ID, pq.Array(ids)); err != nil {
 			panic(err)
 		}
 		defer rows.Close()
-- 
2.38.4