From 3b43f0895584e0a3d2dfb0faf95cacdb12092d4a Mon Sep 17 00:00:00 2001
From: grandeljay <github@grandels.email>
Date: Tue, 16 Jan 2024 17:10:05 +0100
Subject: [PATCH] fix: missing authentication when deleting wish

---
 src/api/wishes.php | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/src/api/wishes.php b/src/api/wishes.php
index 220a3a18..4702ec4f 100644
--- a/src/api/wishes.php
+++ b/src/api/wishes.php
@@ -341,6 +341,41 @@ switch ($_SERVER['REQUEST_METHOD']) {
     case 'DELETE':
         $_DELETE = $this->input;
 
+        $user = User::getCurrent();
+
+        if (!$user->isLoggedIn()) {
+            http_response_code(403);
+            die(__('You must be logged in to delete a wish.'));
+
+            return;
+        }
+
+        $user_id = $user->getId();
+
+        $userOwnsWishQuery = $database->query(
+            '  SELECT `wishes`.`id`    AS "wish_id",
+                      `wishlists`.`id` AS "wishlist_id",
+                      `users`.`id`     AS "user_id"
+                 FROM `wishes`
+            LEFT JOIN `wishlists` ON `wishes`.`wishlist` = `wishlists`.`id`
+            LEFT JOIN `users`     ON `wishlists`.`user`  = `users`.`id`
+                WHERE `wishes`.`id` = :wish_id
+                  AND `users`.`id`  = :user_id',
+            [
+                'wish_id' => $_DELETE['wish_id'],
+                'user_id' => $user_id,
+            ]
+        );
+        $userOwnsWishData  = $userOwnsWishQuery->fetch(\PDO::FETCH_ASSOC);
+        $userOwnsWish      = isset($userOwnsWishData['user_id']) && $userOwnsWishData['user_id'] === $user_id;
+
+        if (!$userOwnsWish) {
+            http_response_code(403);
+            die(__('You must own a wish in order to delete it.'));
+
+            return;
+        }
+
         if (isset($_DELETE['wish_id'])) {
             $database->query(
                 'DELETE FROM `wishes`