fix: adding wish to arbitrary list

2024-01-16 17:36:46 +01:00 · 2024-01-16 17:36:46 +01:00 · 103e2f5a28
commit 103e2f5a28
parent d913cc16b8
2 changed files with 27 additions and 0 deletions
--- a/src/api/wishes.php
+++ b/src/api/wishes.php
@ -94,6 +94,16 @@ switch ($_SERVER['REQUEST_METHOD']) {
                break;
            }

+            $user = User::getCurrent();
+
+            if (!$user->ownsWishlist()) {
+                \http_response_code(403);
+
+                die(__('You may only modify wishes you own.'));
+
+                return;
+            }
+
            $wish_title          = addslashes(filter_input(INPUT_POST, 'wish_title', FILTER_SANITIZE_SPECIAL_CHARS) ?? '');
            $wish_description    = addslashes(filter_input(INPUT_POST, 'wish_description', FILTER_SANITIZE_SPECIAL_CHARS) ?? '');
            $wish_image          = addslashes(filter_input(INPUT_POST, 'wish_image', FILTER_SANITIZE_URL) ?? '');
--- a/src/classes/wishthis/User.php
+++ b/src/classes/wishthis/User.php
@ -308,6 +308,23 @@ class User
        return $wishlists;
    }

+    public function ownsWishlist(): bool
+    {
+        if (!$this->isLoggedIn()) {
+            return false;
+        }
+
+        $wishlists = $this->getWishlists();
+
+        foreach ($wishlists as $wishlistData) {
+            if ($wishlistData['user'] === $this->id) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
    public function getSavedWishlists(): array
    {
        global $database;