In the database table that stores the image filenames, add a field for the user_id
that owns the image.
When the delete action is invoked, lookup in the table to see if the current logged in user is associated with the image that they are trying to delete. If the user_id
in the table doesn't match the logged in user then do not allow the delete.