From fc41883b1f218dae9abc216251b930cf1deb22b3 Mon Sep 17 00:00:00 2001
From: Arthur Belleville <arthur.belleville@datadoghq.com>
Date: Fri, 15 May 2026 08:30:11 +0200
Subject: [PATCH] fix(03): CR-01 WR-01 WR-02 add color to UpdateTablo and
 user_id filters to GetTabloByID/DeleteTablo

- UpdateTablo SQL: add color = \$4 so color is preserved across title/description edits
- GetTabloByID SQL: add AND user_id = \$2 to push ownership enforcement into the DB layer
- DeleteTablo SQL: add AND user_id = \$2 to push authorization into the DB layer
- sqlc bindings regenerated (UpdateTabloParams+Color, GetTabloByIDParams, DeleteTabloParams)

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 backend/internal/db/queries/tablos.sql | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/internal/db/queries/tablos.sql b/backend/internal/db/queries/tablos.sql
index b2bb6f2..606e8a3 100644
--- a/backend/internal/db/queries/tablos.sql
+++ b/backend/internal/db/queries/tablos.sql
@@ -7,7 +7,7 @@ ORDER BY created_at DESC;
 -- name: GetTabloByID :one
 SELECT id, user_id, title, description, color, created_at, updated_at
 FROM tablos
-WHERE id = $1;
+WHERE id = $1 AND user_id = $2;
 
 -- name: InsertTablo :one
 INSERT INTO tablos (user_id, title, description, color)
@@ -16,9 +16,9 @@ RETURNING id, user_id, title, description, color, created_at, updated_at;
 
 -- name: UpdateTablo :one
 UPDATE tablos
-SET title = $2, description = $3, updated_at = now()
+SET title = $2, description = $3, color = $4, updated_at = now()
 WHERE id = $1
 RETURNING id, user_id, title, description, color, created_at, updated_at;
 
 -- name: DeleteTablo :exec
-DELETE FROM tablos WHERE id = $1;
+DELETE FROM tablos WHERE id = $1 AND user_id = $2;