diff --git a/src/api/wishes.php b/src/api/wishes.php index 220a3a18..4702ec4f 100644 --- a/src/api/wishes.php +++ b/src/api/wishes.php @@ -341,6 +341,41 @@ switch ($_SERVER['REQUEST_METHOD']) { case 'DELETE': $_DELETE = $this->input; + $user = User::getCurrent(); + + if (!$user->isLoggedIn()) { + http_response_code(403); + die(__('You must be logged in to delete a wish.')); + + return; + } + + $user_id = $user->getId(); + + $userOwnsWishQuery = $database->query( + ' SELECT `wishes`.`id` AS "wish_id", + `wishlists`.`id` AS "wishlist_id", + `users`.`id` AS "user_id" + FROM `wishes` + LEFT JOIN `wishlists` ON `wishes`.`wishlist` = `wishlists`.`id` + LEFT JOIN `users` ON `wishlists`.`user` = `users`.`id` + WHERE `wishes`.`id` = :wish_id + AND `users`.`id` = :user_id', + [ + 'wish_id' => $_DELETE['wish_id'], + 'user_id' => $user_id, + ] + ); + $userOwnsWishData = $userOwnsWishQuery->fetch(\PDO::FETCH_ASSOC); + $userOwnsWish = isset($userOwnsWishData['user_id']) && $userOwnsWishData['user_id'] === $user_id; + + if (!$userOwnsWish) { + http_response_code(403); + die(__('You must own a wish in order to delete it.')); + + return; + } + if (isset($_DELETE['wish_id'])) { $database->query( 'DELETE FROM `wishes`