From 584cfa819b4858ba4e1400a3f6ff9ab9b83a4622 Mon Sep 17 00:00:00 2001
From: claude-dev <claude-dev@aegis-sight.de>
Date: Thu, 5 Mar 2026 19:46:41 +0100
Subject: [PATCH] =?UTF-8?q?Protect:=20Grundquellen=20im=20Monitor=20vor=20?=
 =?UTF-8?q?L=C3=B6schen/Bearbeiten=20sch=C3=BCtzen?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- delete_source/update_source: Quellen mit tenant_id=NULL geschützt
- block/unblock_domain: Nur tenant-spezifische Quellen betroffen

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/routers/sources.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/routers/sources.py b/src/routers/sources.py
index 1cebb8e..c512ab1 100644
--- a/src/routers/sources.py
+++ b/src/routers/sources.py
@@ -310,7 +310,7 @@ async def block_domain(
             )
 
     cursor = await db.execute(
-        "UPDATE sources SET status = 'inactive' WHERE LOWER(domain) = ? AND source_type != 'excluded' AND (tenant_id IS NULL OR tenant_id = ?)",
+        "UPDATE sources SET status = 'inactive' WHERE LOWER(domain) = ? AND source_type != 'excluded' AND tenant_id = ?",
         (domain, tenant_id),
     )
     feeds_deactivated = cursor.rowcount
@@ -364,11 +364,11 @@ async def unblock_domain(
 
     if has_feeds:
         await db.execute(
-            "DELETE FROM sources WHERE LOWER(domain) = ? AND source_type = 'excluded' AND (tenant_id IS NULL OR tenant_id = ?)",
+            "DELETE FROM sources WHERE LOWER(domain) = ? AND source_type = 'excluded' AND tenant_id = ?",
             (domain, tenant_id),
         )
         cursor = await db.execute(
-            "UPDATE sources SET status = 'active' WHERE LOWER(domain) = ? AND source_type != 'excluded' AND (tenant_id IS NULL OR tenant_id = ?)",
+            "UPDATE sources SET status = 'active' WHERE LOWER(domain) = ? AND source_type != 'excluded' AND tenant_id = ?",
             (domain, tenant_id),
         )
         feeds_reactivated = cursor.rowcount
@@ -495,6 +495,9 @@ async def update_source(
     if not row:
         raise HTTPException(status_code=404, detail="Quelle nicht gefunden")
 
+    if row["tenant_id"] is None:
+        raise HTTPException(status_code=403, detail="Grundquellen koennen nur ueber die Verwaltung bearbeitet werden")
+
     _check_source_ownership(dict(row), current_user["username"])
 
     updates = {}
@@ -532,6 +535,9 @@ async def delete_source(
     if not row:
         raise HTTPException(status_code=404, detail="Quelle nicht gefunden")
 
+    if row["tenant_id"] is None:
+        raise HTTPException(status_code=403, detail="Grundquellen koennen nicht geloescht werden")
+
     _check_source_ownership(dict(row), current_user["username"])
 
     await db.execute("DELETE FROM sources WHERE id = ?", (source_id,))