fix: #177 accessing wishlist without permission

This commit is contained in:
grandeljay 2023-11-09 15:32:31 +01:00
parent 62bb6d961b
commit 97c7c7142c
4 changed files with 88 additions and 107 deletions

View file

@ -108,10 +108,39 @@ switch ($_SERVER['REQUEST_METHOD']) {
$getOwnWishlists = $user->isLoggedIn(); $getOwnWishlists = $user->isLoggedIn();
if ($getWishlistCardsFromPriority) { if ($getWishlistCardsFromPriority) {
$wishlist = Wishlist::getFromId($_GET['wishlist_id']); if (!$user->isLoggedIn()) {
http_response_code(403);
return;
}
if (false === $wishlist) { $wishlist = Wishlist::getFromId($_GET['wishlist_id']);
$userWishlistsQuery = $database
->query(
'SELECT `id`
FROM `wishlists`
WHERE `user` = :wishlist_user_id',
array(
'wishlist_user_id' => $user->getId(),
)
);
if (false === $wishlist || false === $userWishlistsQuery) {
http_response_code(404); http_response_code(404);
return;
}
$userWishlistsResults = \array_map(
function ($result) {
return $result['id'];
},
$userWishlistsQuery->fetchAll()
);
$userOwnsRequestedWishlist = \in_array($wishlist->getId(), $userWishlistsResults, true);
if (!$userOwnsRequestedWishlist) {
http_response_code(403);
return;
} }
$priorityAll = -1; $priorityAll = -1;

View file

@ -25,11 +25,18 @@ $(function() {
modal_failure_content = wishthis.strings.modal.failure.content; modal_failure_content = wishthis.strings.modal.failure.content;
} }
if (xhr.status && xhr.statusText) {
showFailure(
xhr.status + ' - ' + xhr.statusText,
''
);
} else {
showFailure( showFailure(
wishthis.strings.modal.failure.title, wishthis.strings.modal.failure.title,
modal_failure_content, modal_failure_content
); );
} }
}
$.fn.api.settings.onError = function(response, element, xhr) { $.fn.api.settings.onError = function(response, element, xhr) {
var modal_error_content = ''; var modal_error_content = '';
@ -262,7 +269,7 @@ function showError(title = '', content = '') {
$('body').modal(modal_error); $('body').modal(modal_error);
} }
function showFailure(title = '', content = '') { function showFailure(title = '', content = '', status = 200) {
var modal_failure = { var modal_failure = {
'class' : 'small', 'class' : 'small',
'autoShow' : true, 'autoShow' : true,

View file

@ -52,11 +52,6 @@ $(function () {
wishthis.$_GET.id = wishlist_id; wishthis.$_GET.id = wishlist_id;
if (wishlist_id) { if (wishlist_id) {
/** Get wishlist */
fetch('/index.php?page=api&module=wishlists&id=' + wishlist_id, { method: 'GET' })
.then(handleFetchError)
.then(handleFetchResponse)
.then(function(response) {
/** Set currently selected wishlist */ /** Set currently selected wishlist */
wishlists.forEach(wishlistI => { wishlists.forEach(wishlistI => {
if (wishlistI.id === parseInt(wishlist_id)) { if (wishlistI.id === parseInt(wishlist_id)) {
@ -97,61 +92,6 @@ $(function () {
setTimeout(dropdown_wishlists_api, 1); setTimeout(dropdown_wishlists_api, 1);
} }
}, 1); }, 1);
/** */
/*
const get_wishes = new URLSearchParams(
{
'module' : 'wishes',
'page' : 'api',
'wishlist_id' : wishlist.id,
'wishlist_style' : $('[name="style"]').val(),
'wish_priority' : -1,
}
);
fetch('/index.php?' + get_wishes, { method: 'GET' })
.then(handleFetchError)
.then(handleFetchResponse)
.then(function(response) {
/** Cards *//*
var wishes = response.results;
var wishlist_cards = $('.wishlist-cards');
wishlist_cards.html('');
switch (get_wishes.wishlist_style) {
case 'list':
wishlist_cards.append('<div class="ui one column doubling stackable grid wishlist"></div>');
break;
default:
wishlist_cards.append('<div class="ui three column doubling stackable grid wishlist"></div>');
break;
}
if (wishes.length > 0) {
wishes.forEach(wish => {
$('.wishlist-cards > .wishlist.grid').append('<div class="column">' + wish.card + '</div>');
});
} else {
$('.wishlist-cards > .wishlist.grid').append(
'<div class="sixteen wide column">' +
'<div class="ui info icon message">' +
'<i class="info circle icon"></i> ' +
'<div class="content">' +
'<div class="header">' + wishthis.strings.message.wishlist.empty.header + '</div>' +
'<p>' + wishthis.strings.message.wishlist.empty.content + '</p>' +
'</div>' +
'</div>' +
'</div>'
);
}
$('.ui.dropdown.wish-options').removeClass('disabled').dropdown();
});
*/
});
} else { } else {
/** Disable wishlist options buttons */ /** Disable wishlist options buttons */
$('.button.wishlist-wish-add').removeClass('disabled'); $('.button.wishlist-wish-add').removeClass('disabled');

View file

@ -28,6 +28,11 @@ class Wishlist
} }
$wishlistData = $wishlistQuery->fetch(); $wishlistData = $wishlistQuery->fetch();
if (false === $wishlistData) {
return false;
}
$wishlist = new Wishlist($wishlistData); $wishlist = new Wishlist($wishlistData);
return $wishlist; return $wishlist;