Forbid unauthorised access to user wishlists

2022-12-14 16:48:33 +01:00 · 2022-12-14 16:48:33 +01:00 · 68976b70fe
commit 68976b70fe
parent 9d477c6019
2 changed files with 11 additions and 1 deletions
--- a/src/api/wishlists.php
+++ b/src/api/wishlists.php
@ -133,7 +133,11 @@ switch ($_SERVER['REQUEST_METHOD']) {
            /**
             * Get user wishlists
             */
-            $user = isset($_GET['userid']) ? User::getFromID($_GET['userid']) : $_SESSION['user'];
+            $user = $_SESSION['user'];
+
+            if (!$user->isLoggedIn()) {
+                $this->response(403);
+            }

            $wishlists       = array();
            $wishlists_items = array();
--- a/src/classes/api.php
+++ b/src/classes/api.php
@ -72,4 +72,10 @@ class API

        return $request_variables;
    }
+
+    private function response(int $http_code): void
+    {
+        http_response_code($http_code);
+        die();
+    }
 }