Prevent unauthorized wish access
This commit is contained in:
parent
937da2212f
commit
ec27064211
2 changed files with 21 additions and 14 deletions
|
@ -59,11 +59,11 @@ class User
|
|||
{
|
||||
global $database;
|
||||
|
||||
$wishlists = $database->query(
|
||||
'SELECT *
|
||||
FROM wishlists
|
||||
WHERE user = ' . $this->id . ';'
|
||||
)->fetchAll();
|
||||
$wishlists = $database
|
||||
->query('SELECT *
|
||||
FROM `wishlists`
|
||||
WHERE `user` = ' . $this->id . ';')
|
||||
->fetchAll();
|
||||
|
||||
return $wishlists;
|
||||
}
|
||||
|
@ -79,11 +79,11 @@ class User
|
|||
{
|
||||
global $database;
|
||||
|
||||
$wishes = $database->query(
|
||||
'SELECT *
|
||||
FROM wishes
|
||||
WHERE wishlist = ' . $wishlist . ';'
|
||||
)->fetchAll();
|
||||
$wishes = $database
|
||||
->query('SELECT *
|
||||
FROM `wishes`
|
||||
WHERE `wishlist` = ' . $wishlist . ';')
|
||||
->fetchAll();
|
||||
|
||||
return $wishes;
|
||||
}
|
||||
|
|
|
@ -21,10 +21,18 @@ if ('POST' === $_SERVER['REQUEST_METHOD'] && count($_POST) >= 0) {
|
|||
$messages[] = Page::success('Wish successfully updated.', 'Success');
|
||||
}
|
||||
|
||||
$wish = new Wish($_GET['id'], false);
|
||||
$userIsAuthenticated = false;
|
||||
$wish = new Wish($_GET['id'], false);
|
||||
$wishlists = $user->getWishlists($wish->wishlist);
|
||||
|
||||
/*
|
||||
if (!$wish->exists()) {
|
||||
foreach ($wishlists as $wishlist) {
|
||||
if ($wish->wishlist === intval($wishlist['id'])) {
|
||||
$userIsAuthenticated = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!$userIsAuthenticated) {
|
||||
http_response_code(404);
|
||||
?>
|
||||
<h1>Not found</h1>
|
||||
|
@ -32,7 +40,6 @@ if (!$wish->exists()) {
|
|||
<?php
|
||||
die();
|
||||
}
|
||||
*/
|
||||
|
||||
$page = new page(__FILE__, $wish->title);
|
||||
$page->header();
|
||||
|
|
Loading…
Reference in a new issue