Restrict custom view updates/deletions to owner (#1751)

Author: skwowet

backend/src/database/repositories/customViewRepository.ts

@@ -63,6 +63,11 @@ class CustomViewRepository {
       throw new Error404()
     }
 
+    // don't allow other users private custom views to be updated
+    if (record.visibility === 'user' && record.createdById !== currentUser.id) {
+      throw new Error('Update not allowed as custom view was not created by user!')
+    }
+
     // we don't allow placement to be updated
     record = await record.update(
       {
@@ -112,6 +117,11 @@ class CustomViewRepository {
       throw new Error404()
     }
 
+    // don't allow other users private custom views to be deleted
+    if (record.visibility === 'user' && record.createdById !== currentUser.id) {
+      throw new Error('Deletion not allowed as custom view was not created by user!')
+    }
+
     // update who deleted the custom view
     await record.update(
       {