diff --git a/src/api/wishes.php b/src/api/wishes.php index 4702ec4f..71177d54 100644 --- a/src/api/wishes.php +++ b/src/api/wishes.php @@ -94,6 +94,16 @@ switch ($_SERVER['REQUEST_METHOD']) { break; } + $user = User::getCurrent(); + + if (!$user->ownsWishlist()) { + \http_response_code(403); + + die(__('You may only modify wishes you own.')); + + return; + } + $wish_title = addslashes(filter_input(INPUT_POST, 'wish_title', FILTER_SANITIZE_SPECIAL_CHARS) ?? ''); $wish_description = addslashes(filter_input(INPUT_POST, 'wish_description', FILTER_SANITIZE_SPECIAL_CHARS) ?? ''); $wish_image = addslashes(filter_input(INPUT_POST, 'wish_image', FILTER_SANITIZE_URL) ?? ''); diff --git a/src/classes/wishthis/User.php b/src/classes/wishthis/User.php index 62606550..cfd1b89a 100644 --- a/src/classes/wishthis/User.php +++ b/src/classes/wishthis/User.php @@ -308,6 +308,23 @@ class User return $wishlists; } + public function ownsWishlist(): bool + { + if (!$this->isLoggedIn()) { + return false; + } + + $wishlists = $this->getWishlists(); + + foreach ($wishlists as $wishlistData) { + if ($wishlistData['user'] === $this->id) { + return true; + } + } + + return false; + } + public function getSavedWishlists(): array { global $database;