fix: #177 accessing wishlist without permission
This commit is contained in:
grandeljay
parent
62bb6d961b
commit
97c7c7142c
4 changed files with 88 additions and 107 deletions
|
|
@ -108,10 +108,39 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
|||
$getOwnWishlists = $user->isLoggedIn();
|
||||
|
||||
if ($getWishlistCardsFromPriority) {
|
||||
$wishlist = Wishlist::getFromId($_GET['wishlist_id']);
|
||||
if (!$user->isLoggedIn()) {
|
||||
http_response_code(403);
|
||||
return;
|
||||
}
|
||||
|
||||
if (false === $wishlist) {
|
||||
$wishlist = Wishlist::getFromId($_GET['wishlist_id']);
|
||||
$userWishlistsQuery = $database
|
||||
->query(
|
||||
'SELECT `id`
|
||||
FROM `wishlists`
|
||||
WHERE `user` = :wishlist_user_id',
|
||||
array(
|
||||
'wishlist_user_id' => $user->getId(),
|
||||
)
|
||||
);
|
||||
|
||||
if (false === $wishlist || false === $userWishlistsQuery) {
|
||||
http_response_code(404);
|
||||
return;
|
||||
}
|
||||
|
||||
$userWishlistsResults = \array_map(
|
||||
function ($result) {
|
||||
return $result['id'];
|
||||
},
|
||||
$userWishlistsQuery->fetchAll()
|
||||
);
|
||||
|
||||
$userOwnsRequestedWishlist = \in_array($wishlist->getId(), $userWishlistsResults, true);
|
||||
|
||||
if (!$userOwnsRequestedWishlist) {
|
||||
http_response_code(403);
|
||||
return;
|
||||
}
|
||||
|
||||
$priorityAll = -1;
|
||||
|
|
|
|||
|
|
@ -25,10 +25,17 @@ $(function() {
|
|||
modal_failure_content = wishthis.strings.modal.failure.content;
|
||||
}
|
||||
|
||||
showFailure(
|
||||
wishthis.strings.modal.failure.title,
|
||||
modal_failure_content,
|
||||
);
|
||||
if (xhr.status && xhr.statusText) {
|
||||
showFailure(
|
||||
xhr.status + ' - ' + xhr.statusText,
|
||||
''
|
||||
);
|
||||
} else {
|
||||
showFailure(
|
||||
wishthis.strings.modal.failure.title,
|
||||
modal_failure_content
|
||||
);
|
||||
}
|
||||
}
|
||||
$.fn.api.settings.onError = function(response, element, xhr) {
|
||||
var modal_error_content = '';
|
||||
|
|
@ -262,7 +269,7 @@ function showError(title = '', content = '') {
|
|||
$('body').modal(modal_error);
|
||||
}
|
||||
|
||||
function showFailure(title = '', content = '') {
|
||||
function showFailure(title = '', content = '', status = 200) {
|
||||
var modal_failure = {
|
||||
'class' : 'small',
|
||||
'autoShow' : true,
|
||||
|
|
|
|||
|
|
@ -52,106 +52,46 @@ $(function () {
|
|||
wishthis.$_GET.id = wishlist_id;
|
||||
|
||||
if (wishlist_id) {
|
||||
/** Get wishlist */
|
||||
fetch('/index.php?page=api&module=wishlists&id=' + wishlist_id, { method: 'GET' })
|
||||
.then(handleFetchError)
|
||||
.then(handleFetchResponse)
|
||||
.then(function(response) {
|
||||
/** Set currently selected wishlist */
|
||||
wishlists.forEach(wishlistI => {
|
||||
if (wishlistI.id === parseInt(wishlist_id)) {
|
||||
wishlist = wishlistI;
|
||||
}
|
||||
});
|
||||
|
||||
/** Set share link */
|
||||
$('.wishlist-share').attr('href', '/wishlist/' + $(wishlist).prop('hash'));
|
||||
|
||||
/** Enable wishlist options buttons */
|
||||
$('.button.wishlist-wish-add').removeClass('disabled');
|
||||
$('.button.wishlist-share').removeClass('disabled');
|
||||
$('.button.wishlist-options')
|
||||
.removeClass('disabled')
|
||||
.dropdown({
|
||||
'action' : 'select'
|
||||
});
|
||||
$('.wishlist-rename').removeClass('disabled');
|
||||
$('.wishlist-delete').removeClass('disabled');
|
||||
|
||||
/** Update URL */
|
||||
urlParams.set('id', wishlist_id);
|
||||
|
||||
updateURL();
|
||||
/** */
|
||||
|
||||
/**
|
||||
* Very dirty hack to ensure the wishes are going to be
|
||||
* displayed after the page has laoded.
|
||||
*/
|
||||
setTimeout(function dropdown_wishlists_api() {
|
||||
var api_is_complete = $('.ui.dropdown.filter.priority').api('was complete');
|
||||
|
||||
if ($('.ui.column.wishlist > .column').length > 0 && api_is_complete) {
|
||||
$('.ui.dropdown.filter.priority').api('query');
|
||||
|
||||
setTimeout(dropdown_wishlists_api, 1);
|
||||
}
|
||||
}, 1);
|
||||
/** */
|
||||
|
||||
/*
|
||||
const get_wishes = new URLSearchParams(
|
||||
{
|
||||
'module' : 'wishes',
|
||||
'page' : 'api',
|
||||
|
||||
'wishlist_id' : wishlist.id,
|
||||
'wishlist_style' : $('[name="style"]').val(),
|
||||
'wish_priority' : -1,
|
||||
}
|
||||
);
|
||||
fetch('/index.php?' + get_wishes, { method: 'GET' })
|
||||
.then(handleFetchError)
|
||||
.then(handleFetchResponse)
|
||||
.then(function(response) {
|
||||
/** Cards *//*
|
||||
var wishes = response.results;
|
||||
var wishlist_cards = $('.wishlist-cards');
|
||||
|
||||
wishlist_cards.html('');
|
||||
|
||||
switch (get_wishes.wishlist_style) {
|
||||
case 'list':
|
||||
wishlist_cards.append('<div class="ui one column doubling stackable grid wishlist"></div>');
|
||||
break;
|
||||
|
||||
default:
|
||||
wishlist_cards.append('<div class="ui three column doubling stackable grid wishlist"></div>');
|
||||
break;
|
||||
}
|
||||
|
||||
if (wishes.length > 0) {
|
||||
wishes.forEach(wish => {
|
||||
$('.wishlist-cards > .wishlist.grid').append('<div class="column">' + wish.card + '</div>');
|
||||
});
|
||||
} else {
|
||||
$('.wishlist-cards > .wishlist.grid').append(
|
||||
'<div class="sixteen wide column">' +
|
||||
'<div class="ui info icon message">' +
|
||||
'<i class="info circle icon"></i> ' +
|
||||
'<div class="content">' +
|
||||
'<div class="header">' + wishthis.strings.message.wishlist.empty.header + '</div>' +
|
||||
'<p>' + wishthis.strings.message.wishlist.empty.content + '</p>' +
|
||||
'</div>' +
|
||||
'</div>' +
|
||||
'</div>'
|
||||
);
|
||||
}
|
||||
|
||||
$('.ui.dropdown.wish-options').removeClass('disabled').dropdown();
|
||||
});
|
||||
*/
|
||||
/** Set currently selected wishlist */
|
||||
wishlists.forEach(wishlistI => {
|
||||
if (wishlistI.id === parseInt(wishlist_id)) {
|
||||
wishlist = wishlistI;
|
||||
}
|
||||
});
|
||||
|
||||
/** Set share link */
|
||||
$('.wishlist-share').attr('href', '/wishlist/' + $(wishlist).prop('hash'));
|
||||
|
||||
/** Enable wishlist options buttons */
|
||||
$('.button.wishlist-wish-add').removeClass('disabled');
|
||||
$('.button.wishlist-share').removeClass('disabled');
|
||||
$('.button.wishlist-options')
|
||||
.removeClass('disabled')
|
||||
.dropdown({
|
||||
'action' : 'select'
|
||||
});
|
||||
$('.wishlist-rename').removeClass('disabled');
|
||||
$('.wishlist-delete').removeClass('disabled');
|
||||
|
||||
/** Update URL */
|
||||
urlParams.set('id', wishlist_id);
|
||||
|
||||
updateURL();
|
||||
/** */
|
||||
|
||||
/**
|
||||
* Very dirty hack to ensure the wishes are going to be
|
||||
* displayed after the page has laoded.
|
||||
*/
|
||||
setTimeout(function dropdown_wishlists_api() {
|
||||
var api_is_complete = $('.ui.dropdown.filter.priority').api('was complete');
|
||||
|
||||
if ($('.ui.column.wishlist > .column').length > 0 && api_is_complete) {
|
||||
$('.ui.dropdown.filter.priority').api('query');
|
||||
|
||||
setTimeout(dropdown_wishlists_api, 1);
|
||||
}
|
||||
}, 1);
|
||||
} else {
|
||||
/** Disable wishlist options buttons */
|
||||
$('.button.wishlist-wish-add').removeClass('disabled');
|
||||
|
|
|
|||
|
|
@ -28,7 +28,12 @@ class Wishlist
|
|||
}
|
||||
|
||||
$wishlistData = $wishlistQuery->fetch();
|
||||
$wishlist = new Wishlist($wishlistData);
|
||||
|
||||
if (false === $wishlistData) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$wishlist = new Wishlist($wishlistData);
|
||||
|
||||
return $wishlist;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue