fix: adding wish to arbitrary list

This commit is contained in:
grandeljay 2024-01-16 17:36:46 +01:00
parent d913cc16b8
commit 103e2f5a28
2 changed files with 27 additions and 0 deletions

View file

@ -94,6 +94,16 @@ switch ($_SERVER['REQUEST_METHOD']) {
break; break;
} }
$user = User::getCurrent();
if (!$user->ownsWishlist()) {
\http_response_code(403);
die(__('You may only modify wishes you own.'));
return;
}
$wish_title = addslashes(filter_input(INPUT_POST, 'wish_title', FILTER_SANITIZE_SPECIAL_CHARS) ?? ''); $wish_title = addslashes(filter_input(INPUT_POST, 'wish_title', FILTER_SANITIZE_SPECIAL_CHARS) ?? '');
$wish_description = addslashes(filter_input(INPUT_POST, 'wish_description', FILTER_SANITIZE_SPECIAL_CHARS) ?? ''); $wish_description = addslashes(filter_input(INPUT_POST, 'wish_description', FILTER_SANITIZE_SPECIAL_CHARS) ?? '');
$wish_image = addslashes(filter_input(INPUT_POST, 'wish_image', FILTER_SANITIZE_URL) ?? ''); $wish_image = addslashes(filter_input(INPUT_POST, 'wish_image', FILTER_SANITIZE_URL) ?? '');

View file

@ -308,6 +308,23 @@ class User
return $wishlists; return $wishlists;
} }
public function ownsWishlist(): bool
{
if (!$this->isLoggedIn()) {
return false;
}
$wishlists = $this->getWishlists();
foreach ($wishlists as $wishlistData) {
if ($wishlistData['user'] === $this->id) {
return true;
}
}
return false;
}
public function getSavedWishlists(): array public function getSavedWishlists(): array
{ {
global $database; global $database;