From 28b02aafa98b74342ded031e2d7877ecdee490e7 Mon Sep 17 00:00:00 2001
From: Minit <minitjain.work@gmail.com>
Date: Wed, 22 Apr 2026 13:24:52 +0530
Subject: [PATCH] fix(api): enforce ownership check on AI generation endpoint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/web/app/api/video/ai/route.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/web/app/api/video/ai/route.ts b/apps/web/app/api/video/ai/route.ts
index f1de882018..59919a10a8 100644
--- a/apps/web/app/api/video/ai/route.ts
+++ b/apps/web/app/api/video/ai/route.ts
@@ -3,7 +3,7 @@ import { getCurrentUser } from "@cap/database/auth/session";
 import { users, videos } from "@cap/database/schema";
 import type { VideoMetadata } from "@cap/database/types";
 import type { Video } from "@cap/web-domain";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import type { NextRequest } from "next/server";
 import { startAiGeneration } from "@/lib/generate-ai";
 import { isAiGenerationEnabled } from "@/utils/flags";
@@ -30,7 +30,7 @@ export async function GET(request: NextRequest) {
 		const result = await db()
 			.select()
 			.from(videos)
-			.where(eq(videos.id, videoId));
+			.where(and(eq(videos.id, videoId), eq(videos.ownerId, user.id)));
 		if (result.length === 0 || !result[0]) {
 			return Response.json(
 				{ error: true, message: "Video not found" },