Add server side checking for user permissions

src/forum.nim

@@ -520,6 +520,16 @@ proc updatePost(c: TForumData, postId: int, content: string,
     if row[0] == $postId:
       exec(db, crud(crUpdate, "thread", "name"), subject.get(), threadId)
 
+proc updateThread(c: TForumData, threadId: string, queryKeys: seq[string], queryValues: seq[string]) =
+    let threadAuthor = selectThreadAuthor(threadId.parseInt)
+
+    # Verify that the current user has permissions to edit the specified thread.
+    let canEdit = c.rank == Admin or c.userid == threadAuthor.name
+    if not canEdit:
+      raise newForumError("You cannot edit this thread")
+
+    exec(db, crud(crUpdate, "thread", queryKeys), queryValues)
+
 proc executeNewThread(c: TForumData, subject, msg, categoryID: string): (int64, int64) =
   const
     query = sql"""
@@ -1181,7 +1191,7 @@ routes:
     if queryKeys.len() > 0:
       queryValues.add(threadId)
       try:
-        exec(db, crud(crUpdate, "thread", queryKeys), queryValues)
+        updateThread(c, threadId, queryKeys, queryValues)
         resp Http200, "{}", "application/json"
       except ForumError as exc:
         resp Http400, $(%exc.data), "application/json"