fix: api authentication bypasses

This commit is contained in:
Niklas Bittner 2024-02-25 22:26:31 +01:00 committed by Jay Trees
parent d60c2ff432
commit ed45d182d1
2 changed files with 29 additions and 3 deletions

View file

@ -27,13 +27,23 @@ switch ($_SERVER['REQUEST_METHOD']) {
case 'POST':
if (isset($_POST['wishlist'])) {
if (!$user->isLoggedIn()) {
http_response_code(403);
die(__('You must be logged in to save or delete a saved wishlist.'));
return;
}
$wishlist = $database
->query(
'SELECT *
FROM `wishlists_saved`
WHERE `wishlist` = :wishlist_id',
FROM `wishlists_saved`
LEFT OUTER JOIN `wishlists` ON `wishlists`.`id` = `wishlists_saved`.`wishlist`
WHERE `wishlists_saved`.`user` = :user_id
AND `wishlist` = :wishlist_id;',
array(
'wishlist_id' => Sanitiser::getNumber($_POST['wishlist'])
'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']),
'user_id' => $user->getId()
)
)
->fetch();

View file

@ -223,6 +223,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
case 'PUT':
$_PUT = $this->input;
if (!$user->ownsWishlist()) {
\http_response_code(403);
die(__('You may only modify wishlists you own.'));
return;
}
$database
->query(
'UPDATE `wishlists`
@ -240,6 +248,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
case 'DELETE':
$_DELETE = $this->input;
if (!$user->ownsWishlist()) {
\http_response_code(403);
die(__('You may only delete wishlists you own.'));
return;
}
$database->query(
'DELETE FROM `wishlists`
WHERE `id` = :wishlist_id;',