Prevent unauthorized wish access

This commit is contained in:
grandeljay 2022-02-27 14:25:16 +01:00
parent 937da2212f
commit ec27064211
2 changed files with 21 additions and 14 deletions

View file

@ -59,11 +59,11 @@ class User
{
global $database;
$wishlists = $database->query(
'SELECT *
FROM wishlists
WHERE user = ' . $this->id . ';'
)->fetchAll();
$wishlists = $database
->query('SELECT *
FROM `wishlists`
WHERE `user` = ' . $this->id . ';')
->fetchAll();
return $wishlists;
}
@ -79,11 +79,11 @@ class User
{
global $database;
$wishes = $database->query(
'SELECT *
FROM wishes
WHERE wishlist = ' . $wishlist . ';'
)->fetchAll();
$wishes = $database
->query('SELECT *
FROM `wishes`
WHERE `wishlist` = ' . $wishlist . ';')
->fetchAll();
return $wishes;
}

View file

@ -21,10 +21,18 @@ if ('POST' === $_SERVER['REQUEST_METHOD'] && count($_POST) >= 0) {
$messages[] = Page::success('Wish successfully updated.', 'Success');
}
$wish = new Wish($_GET['id'], false);
$userIsAuthenticated = false;
$wish = new Wish($_GET['id'], false);
$wishlists = $user->getWishlists($wish->wishlist);
/*
if (!$wish->exists()) {
foreach ($wishlists as $wishlist) {
if ($wish->wishlist === intval($wishlist['id'])) {
$userIsAuthenticated = true;
break;
}
}
if (!$userIsAuthenticated) {
http_response_code(404);
?>
<h1>Not found</h1>
@ -32,7 +40,6 @@ if (!$wish->exists()) {
<?php
die();
}
*/
$page = new page(__FILE__, $wish->title);
$page->header();