2 files changed, 13 insertions, 3 deletions

diff --git a/src/error/client.rs b/src/error/client.rs
index 302581e..07d5f97 100644
--- a/src/error/client.rs
+++ b/src/error/client.rs
@@ -5,6 +5,7 @@ pub enum ClientError {
     InvalidPassword,
     NotAuthorized,
     UserNotFound { id: i64 },
+    NotQueueOwner { id: i64 },
     QueueNotFound { id: i64 },
 }
 
@@ -17,6 +18,7 @@ impl ClientError {
             Self::InvalidPassword => "InvalidPassword",
             Self::NotAuthorized => "NotAuthorized",
             Self::UserNotFound { .. } => "UserNotFound",
+            Self::NotQueueOwner { .. } => "NotQueueOwner",
             Self::QueueNotFound { .. } => "QueueNotFound",
         }
         .to_string()
@@ -33,6 +35,9 @@ impl ClientError {
 
             Self::NotAuthorized => format!("user is not authorized"),
             Self::UserNotFound { id } => format!("user with id `{}` not found", id),
+            Self::NotQueueOwner { id } => {
+                format!("you are not the owner of the queue with id `{}`", id)
+            }
             Self::QueueNotFound { id } => format!("queue with id `{}` not found", id),
         }
     }
diff --git a/src/routers/queue.rs b/src/routers/queue.rs
index df846fb..021fbe5 100644
--- a/src/routers/queue.rs
+++ b/src/routers/queue.rs
@@ -24,11 +24,16 @@ async fn get_owned_queue(
     owner_id: i64,
     db: &DatabaseConnection,
 ) -> Result<queues::Model, ApiError> {
-    Ok(queues::Entity::find_by_id(id)
-        .filter(queues::Column::OwnerId.eq(owner_id))
+    let queue = queues::Entity::find_by_id(id)
         .one(db)
         .await?
-        .ok_or(ClientError::QueueNotFound { id })?)
+        .ok_or(ClientError::QueueNotFound { id })?;
+
+    if queue.owner_id != owner_id {
+        return Err(ClientError::NotQueueOwner { id: queue.id }.into());
+    }
+
+    Ok(queue)
 }
 
 #[derive(Deserialize, ToSchema)]