Prevent unauthorized wish access

This commit is contained in:
grandeljay 2022-02-27 14:25:16 +01:00
parent 937da2212f
commit ec27064211
2 changed files with 21 additions and 14 deletions

View file

@ -59,11 +59,11 @@ class User
{ {
global $database; global $database;
$wishlists = $database->query( $wishlists = $database
'SELECT * ->query('SELECT *
FROM wishlists FROM `wishlists`
WHERE user = ' . $this->id . ';' WHERE `user` = ' . $this->id . ';')
)->fetchAll(); ->fetchAll();
return $wishlists; return $wishlists;
} }
@ -79,11 +79,11 @@ class User
{ {
global $database; global $database;
$wishes = $database->query( $wishes = $database
'SELECT * ->query('SELECT *
FROM wishes FROM `wishes`
WHERE wishlist = ' . $wishlist . ';' WHERE `wishlist` = ' . $wishlist . ';')
)->fetchAll(); ->fetchAll();
return $wishes; return $wishes;
} }

View file

@ -21,10 +21,18 @@ if ('POST' === $_SERVER['REQUEST_METHOD'] && count($_POST) >= 0) {
$messages[] = Page::success('Wish successfully updated.', 'Success'); $messages[] = Page::success('Wish successfully updated.', 'Success');
} }
$userIsAuthenticated = false;
$wish = new Wish($_GET['id'], false); $wish = new Wish($_GET['id'], false);
$wishlists = $user->getWishlists($wish->wishlist);
/* foreach ($wishlists as $wishlist) {
if (!$wish->exists()) { if ($wish->wishlist === intval($wishlist['id'])) {
$userIsAuthenticated = true;
break;
}
}
if (!$userIsAuthenticated) {
http_response_code(404); http_response_code(404);
?> ?>
<h1>Not found</h1> <h1>Not found</h1>
@ -32,7 +40,6 @@ if (!$wish->exists()) {
<?php <?php
die(); die();
} }
*/
$page = new page(__FILE__, $wish->title); $page = new page(__FILE__, $wish->title);
$page->header(); $page->header();