From 7337e09bdb2d8c740cee1f9bf5cdbde938da0a2b Mon Sep 17 00:00:00 2001
From: Matteo Susca <matteo.susca@studio.unibo.it>
Date: Mon, 2 Feb 2026 16:54:42 +0100
Subject: [PATCH] PIX-106 fix: improve lobby owner authorization for canvas
 clearing by introducing an `isOwner` variable and handling cases where the
 lobby owner is undefined.

---
 server/src/sockets/index.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/server/src/sockets/index.ts b/server/src/sockets/index.ts
index 4f0e85a..60bae82 100644
--- a/server/src/sockets/index.ts
+++ b/server/src/sockets/index.ts
@@ -81,11 +81,16 @@ export const setupSocket = (io: Server) => {
         if (!user || !user.id) return;
 
         const lobby = await LobbyService.getById(lobbyId);
-        if (!lobby || !lobby.owner) return;
+        if (!lobby) return;
 
-        const ownerId = (lobby.owner as any)._id ? (lobby.owner as any)._id.toString() : lobby.owner.toString();
+        let ownerId: string | null = null;
+        if (lobby.owner) {
+          ownerId = (lobby.owner as any)._id ? (lobby.owner as any)._id.toString() : lobby.owner.toString();
+        }
+
+        const isOwner = ownerId && ownerId === user.id;
 
-        if (ownerId !== user.id && !user.isAdmin) {
+        if (!isOwner && !user.isAdmin) {
           socket.emit(CONFIG.EVENTS.SERVER.ERROR, { message: "Only the lobby owner or admin can clear the canvas" });
           return;
         }