From d20790ed4b77b25a844e41c5ec6966a728f97353 Mon Sep 17 00:00:00 2001
From: Dylan De Faoite <dylanseandefaoite@gmail.com>
Date: Sun, 1 Mar 2026 16:10:38 +0000
Subject: [PATCH] fix: incorrect dataset authorisation check

---
 db/database.py |  9 +++++----
 server/app.py  | 15 ++++++++++++---
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/db/database.py b/db/database.py
index cde9f7b..9f1a776 100644
--- a/db/database.py
+++ b/db/database.py
@@ -121,14 +121,15 @@ class PostgresConnector:
             execute_batch(cursor, query, values)
             self.connection.commit()
 
-    def get_dataset_by_id(self, dataset_id: int) -> pd.DataFrame:
+    def get_dataset_content(self, dataset_id: int) -> pd.DataFrame:
         query = "SELECT * FROM events WHERE dataset_id = %s"
         result = self.execute(query, (dataset_id,), fetch=True)
         return pd.DataFrame(result)
     
-    def get_datasets_for_user(self, user_id: int) -> list:
-        query = "SELECT * FROM datasets WHERE user_id = %s"
-        return self.execute(query, (user_id,), fetch=True)
+    def get_dataset_info(self, dataset_id: int) -> dict:
+        query = "SELECT * FROM datasets WHERE id = %s"
+        result = self.execute(query, (dataset_id,), fetch=True)
+        return result[0] if result else None
 
     def close(self):
         if self.connection:
diff --git a/server/app.py b/server/app.py
index 65ef133..961fd88 100644
--- a/server/app.py
+++ b/server/app.py
@@ -132,11 +132,20 @@ def upload_data():
         return jsonify({"error": f"An unexpected error occurred: {str(e)}"}), 500
     
 @app.route('/dataset/<int:dataset_id>', methods=['GET'])
+@jwt_required()
 def get_dataset(dataset_id):
-    if stat_obj is None:
-        return jsonify({"error": "No data uploaded"}), 400
+    current_user = get_jwt_identity()
+    dataset = db.get_dataset_info(dataset_id)
+
+    if dataset.get("user_id") != int(current_user):
+        return jsonify({"error": "Unauthorized access to dataset"}), 403
     
-    return stat_obj.df.to_json(orient="records"), 200, {"Content-Type": "application/json"}
+    dataset_content = db.get_dataset_content(dataset_id)
+    
+    if dataset_content.empty:
+        return jsonify({"error": "Dataset content not found"}), 404
+
+    return jsonify(dataset_content.to_dict(orient="records")), 200
 
 @app.route('/stats/content', methods=['GET'])
 def word_frequencies():