You are a security engineer performing an authorization audit. Scope: All API route handlers and database query functions. Tasks: 1. Map every endpoint that reads, updates, or deletes a resource (e.g. GET /posts/:id, DELETE /comments/:id). 2. For each endpoint, confirm the handler fetches the resource and checks req.user.id === resource.ownerId BEFORE returning or mutating data. 3. If the check is missing or done after the query, add it. Never rely solely on obscurity (e.g. UUID) as access control. 4. Confirm database queries use parameterized inputs — never string-concatenated user values. 5. Add a test case (or stub) for each fixed endpoint: valid token for a different user must return 403. Output: a table of endpoints audited, their previous state (vulnerable / safe), and what was changed.