security fix: disallow editing threads and posts by other users

internal/app/handlers/editpost.go

@@ -35,7 +35,8 @@ func EditPost(request map[string]interface{}, username string, auth bool) interf
 	}
 
 	// insert into database
-	_, err = db.DB.Exec("UPDATE posts SET content = $1 FROM users WHERE posts.id = $2 AND users.username = $3;",
+	_, err = db.DB.Exec(`UPDATE posts SET content = $1 FROM users
+						WHERE posts.author = users.id AND posts.id = $2 AND users.username = $3;`,
 		content, postID, username)
 	if err != nil {
 		// print and return error

internal/app/handlers/editthread.go

@@ -38,7 +38,7 @@ func EditThread(request map[string]interface{}, username string, auth bool) inte
 
 	// insert into database
 	_, err = db.DB.Exec(`UPDATE threads SET threadname = $1, content = $2 FROM users
-						WHERE threads.id = $3 AND users.username = $4;`,
+						WHERE threads.author = users.id AND threads.id = $3 AND users.username = $4;`,
 		title, content, threadID, username)
 	if err != nil {
 		// print and return error