From f14bb63393bbd87e2558a18b539570dc740249ff Mon Sep 17 00:00:00 2001
From: James Grugett <jahooma@gmail.com>
Date: Wed, 1 Jun 2022 18:30:40 -0500
Subject: [PATCH] Check that sold bet is by auth'd user

---
 functions/src/sell-bet.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/functions/src/sell-bet.ts b/functions/src/sell-bet.ts
index 39ed8017..3ef5a094 100644
--- a/functions/src/sell-bet.ts
+++ b/functions/src/sell-bet.ts
@@ -50,6 +50,7 @@ export const sellBet = functions.runWith({ minInstances: 1 }).https.onCall(
       if (!betSnap.exists) return { status: 'error', message: 'Invalid bet' }
       const bet = betSnap.data() as Bet
 
+      if (userId !== bet.userId) return { status: 'error', message: 'Not authorized' }
       if (bet.isSold) return { status: 'error', message: 'Bet already sold' }
 
       const newBetDoc = firestore