Prevent unauthorized wish access

2022-02-27 14:25:16 +01:00 · 2022-02-27 14:25:16 +01:00 · ec27064211
commit ec27064211
parent 937da2212f
2 changed files with 21 additions and 14 deletions
--- a/src/classes/user.php
+++ b/src/classes/user.php
@ -59,11 +59,11 @@ class User
    {
        global $database;

-        $wishlists = $database->query(
-            'SELECT *
-             FROM wishlists
-             WHERE user = ' . $this->id . ';'
-        )->fetchAll();
+        $wishlists = $database
+        ->query('SELECT *
+                   FROM `wishlists`
+                  WHERE `user` = ' . $this->id . ';')
+        ->fetchAll();

        return $wishlists;
    }
@ -79,11 +79,11 @@ class User
    {
        global $database;

-        $wishes = $database->query(
-            'SELECT *
-             FROM wishes
-             WHERE wishlist = ' . $wishlist . ';'
-        )->fetchAll();
+        $wishes = $database
+        ->query('SELECT *
+                   FROM `wishes`
+                  WHERE `wishlist` = ' . $wishlist . ';')
+        ->fetchAll();

        return $wishes;
    }
--- a/src/pages/wish.php
+++ b/src/pages/wish.php
@ -21,10 +21,18 @@ if ('POST' === $_SERVER['REQUEST_METHOD'] && count($_POST) >= 0) {
    $messages[] = Page::success('Wish successfully updated.', 'Success');
 }

-$wish = new Wish($_GET['id'], false);
+$userIsAuthenticated = false;
+$wish                = new Wish($_GET['id'], false);
+$wishlists           = $user->getWishlists($wish->wishlist);

-/*
-if (!$wish->exists()) {
+foreach ($wishlists as $wishlist) {
+    if ($wish->wishlist === intval($wishlist['id'])) {
+        $userIsAuthenticated = true;
+        break;
+    }
+}
+
+if (!$userIsAuthenticated) {
    http_response_code(404);
    ?>
    <h1>Not found</h1>
@ -32,7 +40,6 @@ if (!$wish->exists()) {
    <?php
    die();
 }
-*/

 $page = new page(__FILE__, $wish->title);
 $page->header();