diff --git a/src/api/wishlists.php b/src/api/wishlists.php index 4c2a9ebb..1a5a1b4e 100644 --- a/src/api/wishlists.php +++ b/src/api/wishlists.php @@ -108,10 +108,39 @@ switch ($_SERVER['REQUEST_METHOD']) { $getOwnWishlists = $user->isLoggedIn(); if ($getWishlistCardsFromPriority) { - $wishlist = Wishlist::getFromId($_GET['wishlist_id']); + if (!$user->isLoggedIn()) { + http_response_code(403); + return; + } - if (false === $wishlist) { + $wishlist = Wishlist::getFromId($_GET['wishlist_id']); + $userWishlistsQuery = $database + ->query( + 'SELECT `id` + FROM `wishlists` + WHERE `user` = :wishlist_user_id', + array( + 'wishlist_user_id' => $user->getId(), + ) + ); + + if (false === $wishlist || false === $userWishlistsQuery) { http_response_code(404); + return; + } + + $userWishlistsResults = \array_map( + function ($result) { + return $result['id']; + }, + $userWishlistsQuery->fetchAll() + ); + + $userOwnsRequestedWishlist = \in_array($wishlist->getId(), $userWishlistsResults, true); + + if (!$userOwnsRequestedWishlist) { + http_response_code(403); + return; } $priorityAll = -1; diff --git a/src/assets/js/default.js b/src/assets/js/default.js index 1ccd738f..64e9f9c0 100644 --- a/src/assets/js/default.js +++ b/src/assets/js/default.js @@ -25,10 +25,17 @@ $(function() { modal_failure_content = wishthis.strings.modal.failure.content; } - showFailure( - wishthis.strings.modal.failure.title, - modal_failure_content, - ); + if (xhr.status && xhr.statusText) { + showFailure( + xhr.status + ' - ' + xhr.statusText, + '' + ); + } else { + showFailure( + wishthis.strings.modal.failure.title, + modal_failure_content + ); + } } $.fn.api.settings.onError = function(response, element, xhr) { var modal_error_content = ''; @@ -262,7 +269,7 @@ function showError(title = '', content = '') { $('body').modal(modal_error); } -function showFailure(title = '', content = '') { +function showFailure(title = '', content = '', status = 200) { var modal_failure = { 'class' : 'small', 'autoShow' : true, diff --git a/src/assets/js/parts/wishlists.js b/src/assets/js/parts/wishlists.js index 53f78c8c..11dfefb7 100644 --- a/src/assets/js/parts/wishlists.js +++ b/src/assets/js/parts/wishlists.js @@ -52,106 +52,46 @@ $(function () { wishthis.$_GET.id = wishlist_id; if (wishlist_id) { - /** Get wishlist */ - fetch('/index.php?page=api&module=wishlists&id=' + wishlist_id, { method: 'GET' }) - .then(handleFetchError) - .then(handleFetchResponse) - .then(function(response) { - /** Set currently selected wishlist */ - wishlists.forEach(wishlistI => { - if (wishlistI.id === parseInt(wishlist_id)) { - wishlist = wishlistI; - } - }); - - /** Set share link */ - $('.wishlist-share').attr('href', '/wishlist/' + $(wishlist).prop('hash')); - - /** Enable wishlist options buttons */ - $('.button.wishlist-wish-add').removeClass('disabled'); - $('.button.wishlist-share').removeClass('disabled'); - $('.button.wishlist-options') - .removeClass('disabled') - .dropdown({ - 'action' : 'select' - }); - $('.wishlist-rename').removeClass('disabled'); - $('.wishlist-delete').removeClass('disabled'); - - /** Update URL */ - urlParams.set('id', wishlist_id); - - updateURL(); - /** */ - - /** - * Very dirty hack to ensure the wishes are going to be - * displayed after the page has laoded. - */ - setTimeout(function dropdown_wishlists_api() { - var api_is_complete = $('.ui.dropdown.filter.priority').api('was complete'); - - if ($('.ui.column.wishlist > .column').length > 0 && api_is_complete) { - $('.ui.dropdown.filter.priority').api('query'); - - setTimeout(dropdown_wishlists_api, 1); - } - }, 1); - /** */ - - /* - const get_wishes = new URLSearchParams( - { - 'module' : 'wishes', - 'page' : 'api', - - 'wishlist_id' : wishlist.id, - 'wishlist_style' : $('[name="style"]').val(), - 'wish_priority' : -1, - } - ); - fetch('/index.php?' + get_wishes, { method: 'GET' }) - .then(handleFetchError) - .then(handleFetchResponse) - .then(function(response) { - /** Cards *//* - var wishes = response.results; - var wishlist_cards = $('.wishlist-cards'); - - wishlist_cards.html(''); - - switch (get_wishes.wishlist_style) { - case 'list': - wishlist_cards.append('
'); - break; - - default: - wishlist_cards.append('
'); - break; - } - - if (wishes.length > 0) { - wishes.forEach(wish => { - $('.wishlist-cards > .wishlist.grid').append('
' + wish.card + '
'); - }); - } else { - $('.wishlist-cards > .wishlist.grid').append( - '
' + - '
' + - ' ' + - '
' + - '
' + wishthis.strings.message.wishlist.empty.header + '
' + - '

' + wishthis.strings.message.wishlist.empty.content + '

' + - '
' + - '
' + - '
' - ); - } - - $('.ui.dropdown.wish-options').removeClass('disabled').dropdown(); - }); - */ + /** Set currently selected wishlist */ + wishlists.forEach(wishlistI => { + if (wishlistI.id === parseInt(wishlist_id)) { + wishlist = wishlistI; + } }); + + /** Set share link */ + $('.wishlist-share').attr('href', '/wishlist/' + $(wishlist).prop('hash')); + + /** Enable wishlist options buttons */ + $('.button.wishlist-wish-add').removeClass('disabled'); + $('.button.wishlist-share').removeClass('disabled'); + $('.button.wishlist-options') + .removeClass('disabled') + .dropdown({ + 'action' : 'select' + }); + $('.wishlist-rename').removeClass('disabled'); + $('.wishlist-delete').removeClass('disabled'); + + /** Update URL */ + urlParams.set('id', wishlist_id); + + updateURL(); + /** */ + + /** + * Very dirty hack to ensure the wishes are going to be + * displayed after the page has laoded. + */ + setTimeout(function dropdown_wishlists_api() { + var api_is_complete = $('.ui.dropdown.filter.priority').api('was complete'); + + if ($('.ui.column.wishlist > .column').length > 0 && api_is_complete) { + $('.ui.dropdown.filter.priority').api('query'); + + setTimeout(dropdown_wishlists_api, 1); + } + }, 1); } else { /** Disable wishlist options buttons */ $('.button.wishlist-wish-add').removeClass('disabled'); diff --git a/src/classes/wishthis/Wishlist.php b/src/classes/wishthis/Wishlist.php index 14403e82..dde4aa18 100644 --- a/src/classes/wishthis/Wishlist.php +++ b/src/classes/wishthis/Wishlist.php @@ -28,7 +28,12 @@ class Wishlist } $wishlistData = $wishlistQuery->fetch(); - $wishlist = new Wishlist($wishlistData); + + if (false === $wishlistData) { + return false; + } + + $wishlist = new Wishlist($wishlistData); return $wishlist; }