Fix: add userId filter to getGearItemsByOwner to prevent cross-user data access (#45)

theredmoose · claude · web-flow · commit 7d458aa8a427 · 2026-02-22T00:31:36.000-05:00
getGearItemsByOwner() was querying only by ownerId, which could allow a
user to fetch another user's gear if they knew the ownerId. Added a
compound query filtering by both userId and ownerId.

Also added ski base condition analyzer feature to TODO.md Future Enhancements.

Co-authored-by: theredmoose &lt;theredmoose@users.noreply.github.com&gt;
Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/TODO.md b/TODO.md
@@ -19,6 +19,7 @@
 - [x] Real gear photo analysis via Claude Vision API (with mock fallback)
 - [x] Fischer and Evosports Nordic sizing models with FA Value
 - [x] Range vs single size display toggle (per-session + default in Settings)
+- [x] Square UI (all rounded corners removed globally)
 
 ## Next Up
 - [x] Persist skill levels per member in database
@@ -37,11 +38,20 @@
 - [ ] Age-specific sizing adjustments for children
 - [ ] Growth projections for kids (next season sizing)
 - [ ] Waist width recommendations for alpine skis
+- [ ] Binding safety check — warn when DIN setting is outside safe range for user's weight/skill
+- [ ] Multi-brand sizing comparison view when adding gear
+- [ ] Equipment lifespan tracking based on condition progression
+- [ ] Stance width measurement guide (visual diagram)
+- [ ] Coach/instructor notes on family member profiles
+- [ ] Ski base condition analyzer — take a photo of the bottom of a ski and use Claude Vision to determine if it needs waxing, base grinding, edge sharpening, or base repair (ptex fill)
 
 ## Technical Debt
 - [x] Code-split Firebase to reduce bundle size — chunks exceed 500KB after minification (currently 680KB), use dynamic imports
 - [ ] Add E2E tests with Playwright
 - [x] Increase test coverage to 80%+ for branches/functions — 88% stmts, 82% branches, 86% functions, 90% lines (516 tests)
+- [ ] Increase PhotoCapture test coverage (currently 38.2% — lowest in codebase)
+- [ ] Extract GEAR_TYPE_LABELS and SPORT_LABELS to a shared constants file (currently duplicated across GearCard, MemberDetail, SettingsScreen, etc.)
+- [ ] Add useMemo to MemberDetail sizingCards calculation (recalculates on every render)
 
 ## Known Issues
 
@@ -50,6 +60,11 @@
 - [x] photos/extendedDetails fields lost on Firestore read — was already fixed in `docToGearItem()`
 - [x] No user-scoped Firebase queries — was already fixed in `getAllFamilyMembers()` and `getAllGearItems()`
 - [x] status/location/checkedOutTo/checkedOutDate lost on Firestore read — fixed in `docToGearItem()` (PR #39)
+- [ ] `getGearItemsByOwner()` not filtered by userId — queries by ownerId only, not `userId + ownerId`; a user could fetch another user's gear if they know the ownerId (`src/services/firebase.ts`)
+
+### High
+- [ ] Boot unit preference (MP/EU/US) resets on every visit — `bootUnit` state in MemberDetail is local and not persisted in AppSettings
+- [ ] Hockey skate fallback size formula wrong — `MemberInfoTable.tsx:55` uses `footLength * 1.5 + 2 - 32` fallback instead of `getShoeSizesFromFootLength()` from shoeSize service
 
 ### Medium
 - [x] Negative/zero size values after conversion — MemberDetail now guards against footLength <= 0
@@ -58,6 +73,9 @@
 - [x] Missing Firebase env var validation — `src/config/firebase.ts` now throws with clear error listing missing vars
 - [ ] No account linking flow — users get stuck signing in with Google after creating email account with same address
 - [ ] No offline error handling — Firebase operations show raw errors when offline
+- [ ] Year field in GearForm accepts invalid values (0, negative, far future) — needs validation to 1980–current year + 1
+- [ ] GearForm numeric fields (tip/waist/tail profile) use parseFloat/parseInt without isNaN guard — NaN silently stored on submit
+- [ ] Foot measurement bounds not validated — MemberForm accepts values outside reasonable range (12–30 cm)
 
 ### Low
 - [x] `parseFloat(value) || undefined` treats 0 as undefined — optional numeric fields now use `e.target.value === '' ? undefined : parseFloat()`
@@ -68,6 +86,8 @@
 - [x] No loading state for gear operations — gear delete/submit in App.tsx show no loading indicators; mutations now catch errors and surface a dismissible toast
 - [x] Race condition in useAuth — `setLoading(false)` and `setError()` now guarded by mounted ref
 - [ ] No email verification on signup — email accounts created without verifying address
+- [ ] Hockey skate width thresholds (0.36, 0.40) hardcoded without source documentation (`sizing.ts:653`)
+- [ ] Firestore timestamp conversion drops nanoseconds (`firebase.ts:32`) — minor precision loss
 
 ## Notes
 - App URL: https://gearguru-b3bc8.web.app
diff --git a/src/hooks/useFirebase.ts b/src/hooks/useFirebase.ts
@@ -245,7 +245,7 @@ export function useGearItems(userId: string | null, ownerId?: string): UseGearIt
     setState((prev) => ({ ...prev, loading: true, error: null }));
     try {
       const items = ownerId
-        ? await firebaseService.getGearItemsByOwner(ownerId)
+        ? await firebaseService.getGearItemsByOwner(userId, ownerId)
         : await firebaseService.getAllGearItems(userId);
       setState({ data: items, loading: false, error: null });
     } catch (err) {
diff --git a/src/services/__tests__/firebase.test.ts b/src/services/__tests__/firebase.test.ts
@@ -386,7 +386,7 @@ describe('firebase service', () => {
 
   describe('getGearItemsByOwner', () => {
     it('returns empty array when no gear for owner', async () => {
-      const result = await getGearItemsByOwner('member-1');
+      const result = await getGearItemsByOwner('user-1', 'member-1');
       expect(result).toEqual([]);
     });
   });
diff --git a/src/services/firebase.ts b/src/services/firebase.ts
@@ -212,11 +212,12 @@ export async function getAllGearItems(userId: string): Promise<GearItem[]> {
     .sort((a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime());
 }
 
-export async function getGearItemsByOwner(ownerId: string): Promise<GearItem[]> {
+export async function getGearItemsByOwner(userId: string, ownerId: string): Promise<GearItem[]> {
   const { collection, query, where, getDocs } = await import('firebase/firestore');
   const db = await getDb();
   const q = query(
     collection(db, COLLECTIONS.GEAR_ITEMS),
+    where('userId', '==', userId),
     where('ownerId', '==', ownerId)
   );
   const snapshot = await getDocs(q);
