From ed45d182d12a1e883a7fdb9c7b771ee09217b598 Mon Sep 17 00:00:00 2001 From: Niklas Bittner Date: Sun, 25 Feb 2024 22:26:31 +0100 Subject: [PATCH] fix: api authentication bypasses --- src/api/wishlists-saved.php | 16 +++++++++++++--- src/api/wishlists.php | 16 ++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/src/api/wishlists-saved.php b/src/api/wishlists-saved.php index 90102a55..2c42b4e8 100644 --- a/src/api/wishlists-saved.php +++ b/src/api/wishlists-saved.php @@ -27,13 +27,23 @@ switch ($_SERVER['REQUEST_METHOD']) { case 'POST': if (isset($_POST['wishlist'])) { + if (!$user->isLoggedIn()) { + http_response_code(403); + die(__('You must be logged in to save or delete a saved wishlist.')); + + return; + } + $wishlist = $database ->query( 'SELECT * - FROM `wishlists_saved` - WHERE `wishlist` = :wishlist_id', + FROM `wishlists_saved` + LEFT OUTER JOIN `wishlists` ON `wishlists`.`id` = `wishlists_saved`.`wishlist` + WHERE `wishlists_saved`.`user` = :user_id + AND `wishlist` = :wishlist_id;', array( - 'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']) + 'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']), + 'user_id' => $user->getId() ) ) ->fetch(); diff --git a/src/api/wishlists.php b/src/api/wishlists.php index 6d2e6232..5033e865 100644 --- a/src/api/wishlists.php +++ b/src/api/wishlists.php @@ -223,6 +223,14 @@ switch ($_SERVER['REQUEST_METHOD']) { case 'PUT': $_PUT = $this->input; + if (!$user->ownsWishlist()) { + \http_response_code(403); + + die(__('You may only modify wishlists you own.')); + + return; + } + $database ->query( 'UPDATE `wishlists` @@ -240,6 +248,14 @@ switch ($_SERVER['REQUEST_METHOD']) { case 'DELETE': $_DELETE = $this->input; + if (!$user->ownsWishlist()) { + \http_response_code(403); + + die(__('You may only delete wishlists you own.')); + + return; + } + $database->query( 'DELETE FROM `wishlists` WHERE `id` = :wishlist_id;',