fix: missing authentication when deleting wish
This commit is contained in:
grandeljay
parent
6b1d4cb725
commit
3b43f08955
1 changed files with 35 additions and 0 deletions
|
|
@ -341,6 +341,41 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
||||||
case 'DELETE':
|
case 'DELETE':
|
||||||
$_DELETE = $this->input;
|
$_DELETE = $this->input;
|
||||||
|
|
||||||
|
$user = User::getCurrent();
|
||||||
|
|
||||||
|
if (!$user->isLoggedIn()) {
|
||||||
|
http_response_code(403);
|
||||||
|
die(__('You must be logged in to delete a wish.'));
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$user_id = $user->getId();
|
||||||
|
|
||||||
|
$userOwnsWishQuery = $database->query(
|
||||||
|
' SELECT `wishes`.`id` AS "wish_id",
|
||||||
|
`wishlists`.`id` AS "wishlist_id",
|
||||||
|
`users`.`id` AS "user_id"
|
||||||
|
FROM `wishes`
|
||||||
|
LEFT JOIN `wishlists` ON `wishes`.`wishlist` = `wishlists`.`id`
|
||||||
|
LEFT JOIN `users` ON `wishlists`.`user` = `users`.`id`
|
||||||
|
WHERE `wishes`.`id` = :wish_id
|
||||||
|
AND `users`.`id` = :user_id',
|
||||||
|
[
|
||||||
|
'wish_id' => $_DELETE['wish_id'],
|
||||||
|
'user_id' => $user_id,
|
||||||
|
]
|
||||||
|
);
|
||||||
|
$userOwnsWishData = $userOwnsWishQuery->fetch(\PDO::FETCH_ASSOC);
|
||||||
|
$userOwnsWish = isset($userOwnsWishData['user_id']) && $userOwnsWishData['user_id'] === $user_id;
|
||||||
|
|
||||||
|
if (!$userOwnsWish) {
|
||||||
|
http_response_code(403);
|
||||||
|
die(__('You must own a wish in order to delete it.'));
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (isset($_DELETE['wish_id'])) {
|
if (isset($_DELETE['wish_id'])) {
|
||||||
$database->query(
|
$database->query(
|
||||||
'DELETE FROM `wishes`
|
'DELETE FROM `wishes`
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue