fix: security issue playlist deletion cross user

fixes #5777

src/invidious/database/playlists.cr

@@ -194,13 +194,13 @@ module Invidious::Database::PlaylistVideos
     PG_DB.exec(request, args: video_array)
   end
 
-  def delete(index)
+  def delete(index, plid : String)
     request = <<-SQL
       DELETE FROM playlist_videos *
-      WHERE index = $1
+      WHERE index = $1 AND plid = $2
     SQL
 
-    PG_DB.exec(request, index)
+    PG_DB.exec(request, index, plid)
   end
 
   def delete_by_playlist(plid : String)

src/invidious/routes/api/v1/authenticated.cr

@@ -364,7 +364,7 @@ module Invidious::Routes::API::V1::Authenticated
       return error_json(404, "Playlist does not contain index")
     end
 
-    Invidious::Database::PlaylistVideos.delete(index)
+    Invidious::Database::PlaylistVideos.delete(index, plid)
     Invidious::Database::Playlists.update_video_removed(plid, index)
 
     env.response.status_code = 204

src/invidious/routes/playlists.cr

@@ -357,8 +357,12 @@ module Invidious::Routes::Playlists
       Invidious::Database::PlaylistVideos.insert(playlist_video)
       Invidious::Database::Playlists.update_video_added(playlist_id, playlist_video.index)
     when "remove_video"
-      index = env.params.query["set_video_id"]
-      Invidious::Database::PlaylistVideos.delete(index)
+      index = env.params.query["set_video_id"].to_i64?
+      if index.nil? || !playlist.index.includes? index
+        return error_json(404, "Playlist does not contain index")
+      end
+
+      Invidious::Database::PlaylistVideos.delete(index, playlist_id)
       Invidious::Database::Playlists.update_video_removed(playlist_id, index)
     when "move_video_before"
       # TODO: Playlist stub