From 29c3415df2bcb93842ce7d5d3c0508e4f68f832f Mon Sep 17 00:00:00 2001
From: Justin Edmund <justin@jedmund.com>
Date: Wed, 23 Feb 2022 16:34:36 -0800
Subject: [PATCH] Don't allow destroy if owner is not current user

---
 app/controllers/api/v1/parties_controller.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/controllers/api/v1/parties_controller.rb b/app/controllers/api/v1/parties_controller.rb
index 50332a2..e182104 100644
--- a/app/controllers/api/v1/parties_controller.rb
+++ b/app/controllers/api/v1/parties_controller.rb
@@ -31,7 +31,11 @@ class Api::V1::PartiesController < Api::V1::ApiController
     end
 
     def destroy
-        render :destroyed, status: :ok if @party.destroy
+        if @party.user != current_user
+            render_unauthorized_response
+        else
+            render :destroyed, status: :ok if @party.destroy
+        end
     end
 
     def weapons