fix: adding wish to arbitrary list
This commit is contained in:
parent
d913cc16b8
commit
103e2f5a28
2 changed files with 27 additions and 0 deletions
|
@ -94,6 +94,16 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
|||
break;
|
||||
}
|
||||
|
||||
$user = User::getCurrent();
|
||||
|
||||
if (!$user->ownsWishlist()) {
|
||||
\http_response_code(403);
|
||||
|
||||
die(__('You may only modify wishes you own.'));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$wish_title = addslashes(filter_input(INPUT_POST, 'wish_title', FILTER_SANITIZE_SPECIAL_CHARS) ?? '');
|
||||
$wish_description = addslashes(filter_input(INPUT_POST, 'wish_description', FILTER_SANITIZE_SPECIAL_CHARS) ?? '');
|
||||
$wish_image = addslashes(filter_input(INPUT_POST, 'wish_image', FILTER_SANITIZE_URL) ?? '');
|
||||
|
|
|
@ -308,6 +308,23 @@ class User
|
|||
return $wishlists;
|
||||
}
|
||||
|
||||
public function ownsWishlist(): bool
|
||||
{
|
||||
if (!$this->isLoggedIn()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$wishlists = $this->getWishlists();
|
||||
|
||||
foreach ($wishlists as $wishlistData) {
|
||||
if ($wishlistData['user'] === $this->id) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public function getSavedWishlists(): array
|
||||
{
|
||||
global $database;
|
||||
|
|
Loading…
Reference in a new issue