PrivateCoffee/wishthis
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix: #177 accessing wishlist without permission

Browse source
This commit is contained in:
grandeljay 2023-11-09 15:32:31 +01:00
parent 62bb6d961b
commit 97c7c7142c
4 changed files with 88 additions and 107 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
src/api/wishlists.php
View file

@ -108,10 +108,39 @@ switch ($_SERVER['REQUEST_METHOD']) {
$getOwnWishlists = $user->isLoggedIn(); $getOwnWishlists = $user->isLoggedIn();
if ($getWishlistCardsFromPriority) { if ($getWishlistCardsFromPriority) {
$wishlist = Wishlist::getFromId($_GET['wishlist_id']); if (!$user->isLoggedIn()) {
http_response_code(403);
return;
}
if (false === $wishlist) { $wishlist = Wishlist::getFromId($_GET['wishlist_id']);
$userWishlistsQuery = $database
->query(
'SELECT `id`
FROM `wishlists`
WHERE `user` = :wishlist_user_id',
array(
'wishlist_user_id' => $user->getId(),
)
);
if (false === $wishlist || false === $userWishlistsQuery) {
http_response_code(404); http_response_code(404);
return;
}
$userWishlistsResults = \array_map(
function ($result) {
return $result['id'];
},
$userWishlistsQuery->fetchAll()
);
$userOwnsRequestedWishlist = \in_array($wishlist->getId(), $userWishlistsResults, true);
if (!$userOwnsRequestedWishlist) {
http_response_code(403);
return;
} }
$priorityAll = -1; $priorityAll = -1;

17
src/assets/js/default.js
View file

@ -25,10 +25,17 @@ $(function() {
modal_failure_content = wishthis.strings.modal.failure.content; modal_failure_content = wishthis.strings.modal.failure.content;
} }
showFailure( if (xhr.status && xhr.statusText) {
wishthis.strings.modal.failure.title, showFailure(
modal_failure_content, xhr.status + ' - ' + xhr.statusText,
); ''
);
} else {
showFailure(
wishthis.strings.modal.failure.title,
modal_failure_content
);
}
} }
$.fn.api.settings.onError = function(response, element, xhr) { $.fn.api.settings.onError = function(response, element, xhr) {
var modal_error_content = ''; var modal_error_content = '';
@ -262,7 +269,7 @@ function showError(title = '', content = '') {
$('body').modal(modal_error); $('body').modal(modal_error);
} }
function showFailure(title = '', content = '') { function showFailure(title = '', content = '', status = 200) {
var modal_failure = { var modal_failure = {
'class' : 'small', 'class' : 'small',
'autoShow' : true, 'autoShow' : true,

138
src/assets/js/parts/wishlists.js
View file

@ -52,106 +52,46 @@ $(function () {
wishthis.$_GET.id = wishlist_id; wishthis.$_GET.id = wishlist_id;
if (wishlist_id) { if (wishlist_id) {
/** Get wishlist */ /** Set currently selected wishlist */
fetch('/index.php?page=api&module=wishlists&id=' + wishlist_id, { method: 'GET' }) wishlists.forEach(wishlistI => {
.then(handleFetchError) if (wishlistI.id === parseInt(wishlist_id)) {
.then(handleFetchResponse) wishlist = wishlistI;
.then(function(response) { }
/** Set currently selected wishlist */
wishlists.forEach(wishlistI => {
if (wishlistI.id === parseInt(wishlist_id)) {
wishlist = wishlistI;
}
});
/** Set share link */
$('.wishlist-share').attr('href', '/wishlist/' + $(wishlist).prop('hash'));
/** Enable wishlist options buttons */
$('.button.wishlist-wish-add').removeClass('disabled');
$('.button.wishlist-share').removeClass('disabled');
$('.button.wishlist-options')
.removeClass('disabled')
.dropdown({
'action' : 'select'
});
$('.wishlist-rename').removeClass('disabled');
$('.wishlist-delete').removeClass('disabled');
/** Update URL */
urlParams.set('id', wishlist_id);
updateURL();
/** */
/**
* Very dirty hack to ensure the wishes are going to be
* displayed after the page has laoded.
*/
setTimeout(function dropdown_wishlists_api() {
var api_is_complete = $('.ui.dropdown.filter.priority').api('was complete');
if ($('.ui.column.wishlist > .column').length > 0 && api_is_complete) {
$('.ui.dropdown.filter.priority').api('query');
setTimeout(dropdown_wishlists_api, 1);
}
}, 1);
/** */
/*
const get_wishes = new URLSearchParams(
{
'module' : 'wishes',
'page' : 'api',
'wishlist_id' : wishlist.id,
'wishlist_style' : $('[name="style"]').val(),
'wish_priority' : -1,
}
);
fetch('/index.php?' + get_wishes, { method: 'GET' })
.then(handleFetchError)
.then(handleFetchResponse)
.then(function(response) {
/** Cards *//*
var wishes = response.results;
var wishlist_cards = $('.wishlist-cards');
wishlist_cards.html('');
switch (get_wishes.wishlist_style) {
case 'list':
wishlist_cards.append('<div class="ui one column doubling stackable grid wishlist"></div>');
break;
default:
wishlist_cards.append('<div class="ui three column doubling stackable grid wishlist"></div>');
break;
}
if (wishes.length > 0) {
wishes.forEach(wish => {
$('.wishlist-cards > .wishlist.grid').append('<div class="column">' + wish.card + '</div>');
});
} else {
$('.wishlist-cards > .wishlist.grid').append(
'<div class="sixteen wide column">' +
'<div class="ui info icon message">' +
'<i class="info circle icon"></i> ' +
'<div class="content">' +
'<div class="header">' + wishthis.strings.message.wishlist.empty.header + '</div>' +
'<p>' + wishthis.strings.message.wishlist.empty.content + '</p>' +
'</div>' +
'</div>' +
'</div>'
);
}
$('.ui.dropdown.wish-options').removeClass('disabled').dropdown();
});
*/
}); });
/** Set share link */
$('.wishlist-share').attr('href', '/wishlist/' + $(wishlist).prop('hash'));
/** Enable wishlist options buttons */
$('.button.wishlist-wish-add').removeClass('disabled');
$('.button.wishlist-share').removeClass('disabled');
$('.button.wishlist-options')
.removeClass('disabled')
.dropdown({
'action' : 'select'
});
$('.wishlist-rename').removeClass('disabled');
$('.wishlist-delete').removeClass('disabled');
/** Update URL */
urlParams.set('id', wishlist_id);
updateURL();
/** */
/**
* Very dirty hack to ensure the wishes are going to be
* displayed after the page has laoded.
*/
setTimeout(function dropdown_wishlists_api() {
var api_is_complete = $('.ui.dropdown.filter.priority').api('was complete');
if ($('.ui.column.wishlist > .column').length > 0 && api_is_complete) {
$('.ui.dropdown.filter.priority').api('query');
setTimeout(dropdown_wishlists_api, 1);
}
}, 1);
} else { } else {
/** Disable wishlist options buttons */ /** Disable wishlist options buttons */
$('.button.wishlist-wish-add').removeClass('disabled'); $('.button.wishlist-wish-add').removeClass('disabled');

7
src/classes/wishthis/Wishlist.php
View file

@ -28,7 +28,12 @@ class Wishlist
} }
$wishlistData = $wishlistQuery->fetch(); $wishlistData = $wishlistQuery->fetch();
$wishlist = new Wishlist($wishlistData);
if (false === $wishlistData) {
return false;
}
$wishlist = new Wishlist($wishlistData);
return $wishlist; return $wishlist;
} }