fix(share): 共有スナップショットへの不正な編集・削除を禁止 (SOR-20)

- PUT /:id: source_itinerary_id が設定されているスナップショットへの編集を 403 で拒否
- DELETE /:id: 同様にスナップショットの削除を 403 で拒否
- handlePublish: 初回公開のみ syncBookmarks + updateVisibility を実行し、再公開時に可視性を強制変更しないよう修正
- PUT/DELETE の新ガードに対応するテストを追加

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Sora4431

apps/api/src/routes/itineraries.ts

@@ -57,6 +57,10 @@ itineraries.put('/:id', optionalAuthMiddleware, async (c) => {
     return c.json({ success: false, error: { code: 'NOT_FOUND', message: 'Itinerary not found' } }, 404);
   }
 
+  if (existing.source_itinerary_id) {
+    return c.json({ success: false, error: { code: 'FORBIDDEN', message: 'Cannot edit a shared snapshot' } }, 403);
+  }
+
   if (existing.password) {
     const shioriId = c.get('shioriId');
 
@@ -155,6 +159,10 @@ itineraries.delete('/:id', optionalAuthMiddleware, async (c) => {
     return c.json({ success: false, error: { code: 'NOT_FOUND', message: 'Itinerary not found' } }, 404);
   }
 
+  if (existing.source_itinerary_id) {
+    return c.json({ success: false, error: { code: 'FORBIDDEN', message: 'Cannot delete a shared snapshot' } }, 403);
+  }
+
   if (existing.password) {
     const shioriId = c.get('shioriId');
 

apps/api/test/itineraries.test.ts

@@ -229,6 +229,29 @@ describe('Itineraries API', () => {
 
       expect(response.status).toBe(404);
     });
+
+    it('returns 403 when trying to edit a shared snapshot', async () => {
+      const createRes = await app.fetch(new Request('http://localhost/api/v1/itineraries', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ title: 'オリジナル' }),
+      }), env);
+      const { data: original } = await createRes.json() as any;
+
+      const publishRes = await app.fetch(new Request(`http://localhost/api/v1/itineraries/${original.id}/publish`, {
+        method: 'POST',
+      }), env);
+      const { data: snapshot } = await publishRes.json() as any;
+
+      const updateRes = await app.fetch(new Request(`http://localhost/api/v1/itineraries/${snapshot.id}`, {
+        method: 'PUT',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ title: '改ざん' }),
+      }), env);
+      expect(updateRes.status).toBe(403);
+      const { error } = await updateRes.json() as any;
+      expect(error.code).toBe('FORBIDDEN');
+    });
   });
 
   describe('DELETE /api/v1/itineraries/:id', () => {
@@ -261,6 +284,27 @@ describe('Itineraries API', () => {
 
       expect(response.status).toBe(404);
     });
+
+    it('returns 403 when trying to delete a shared snapshot', async () => {
+      const createRes = await app.fetch(new Request('http://localhost/api/v1/itineraries', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ title: 'オリジナル' }),
+      }), env);
+      const { data: original } = await createRes.json() as any;
+
+      const publishRes = await app.fetch(new Request(`http://localhost/api/v1/itineraries/${original.id}/publish`, {
+        method: 'POST',
+      }), env);
+      const { data: snapshot } = await publishRes.json() as any;
+
+      const deleteRes = await app.fetch(new Request(`http://localhost/api/v1/itineraries/${snapshot.id}`, {
+        method: 'DELETE',
+      }), env);
+      expect(deleteRes.status).toBe(403);
+      const { error } = await deleteRes.json() as any;
+      expect(error.code).toBe('FORBIDDEN');
+    });
   });
 });
 

apps/web/src/routes/profile/+page.svelte

@@ -111,14 +111,16 @@
 
   let publishingId = $state<string | null>(null);
 
-  async function handlePublish(itineraryId: string) {
+  async function handlePublish(itineraryId: string, isFirstPublish: boolean) {
     if (publishingId) return;
     publishingId = itineraryId;
     try {
       const result = await itineraryApi.publish(itineraryId);
-      // ブックマークに追加して公開状態にする（/users に表示されるようにする）
-      await userApi.syncBookmarks([result.id]);
-      await userApi.updateVisibility(result.id, { is_visible: true });
+      if (isFirstPublish) {
+        // 初回公開のみ: ブックマークに追加して公開状態にする（/users に表示されるようにする）
+        await userApi.syncBookmarks([result.id]);
+        await userApi.updateVisibility(result.id, { is_visible: true });
+      }
       // ブックマーク一覧を再取得して反映
       await loadBookmarks();
     } catch {
@@ -524,15 +526,15 @@
                         </span>
                       {/if}
                       <button
-                        onclick={() => handlePublish(bookmark.itinerary_id)}
+                        onclick={() => handlePublish(bookmark.itinerary_id, false)}
                         disabled={publishingId === bookmark.itinerary_id}
                         class="text-xs px-2 py-1 rounded border border-gray-300 text-gray-600 bg-gray-50 hover:bg-gray-100 disabled:opacity-50 transition-colors"
                       >
                         {publishingId === bookmark.itinerary_id ? "公開中..." : "最新版を公開"}
                       </button>
                     {:else}
                       <button
-                        onclick={() => handlePublish(bookmark.itinerary_id)}
+                        onclick={() => handlePublish(bookmark.itinerary_id, true)}
                         disabled={publishingId === bookmark.itinerary_id}
                         class="text-xs px-2 py-1 rounded border border-indigo-300 text-indigo-700 bg-indigo-50 hover:bg-indigo-100 disabled:opacity-50 transition-colors"
                       >