fix: api authentication bypasses
This commit is contained in:
parent
d60c2ff432
commit
ed45d182d1
2 changed files with 29 additions and 3 deletions
|
@ -27,13 +27,23 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
||||||
|
|
||||||
case 'POST':
|
case 'POST':
|
||||||
if (isset($_POST['wishlist'])) {
|
if (isset($_POST['wishlist'])) {
|
||||||
|
if (!$user->isLoggedIn()) {
|
||||||
|
http_response_code(403);
|
||||||
|
die(__('You must be logged in to save or delete a saved wishlist.'));
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
$wishlist = $database
|
$wishlist = $database
|
||||||
->query(
|
->query(
|
||||||
'SELECT *
|
'SELECT *
|
||||||
FROM `wishlists_saved`
|
FROM `wishlists_saved`
|
||||||
WHERE `wishlist` = :wishlist_id',
|
LEFT OUTER JOIN `wishlists` ON `wishlists`.`id` = `wishlists_saved`.`wishlist`
|
||||||
|
WHERE `wishlists_saved`.`user` = :user_id
|
||||||
|
AND `wishlist` = :wishlist_id;',
|
||||||
array(
|
array(
|
||||||
'wishlist_id' => Sanitiser::getNumber($_POST['wishlist'])
|
'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']),
|
||||||
|
'user_id' => $user->getId()
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
->fetch();
|
->fetch();
|
||||||
|
|
|
@ -223,6 +223,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
||||||
case 'PUT':
|
case 'PUT':
|
||||||
$_PUT = $this->input;
|
$_PUT = $this->input;
|
||||||
|
|
||||||
|
if (!$user->ownsWishlist()) {
|
||||||
|
\http_response_code(403);
|
||||||
|
|
||||||
|
die(__('You may only modify wishlists you own.'));
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
$database
|
$database
|
||||||
->query(
|
->query(
|
||||||
'UPDATE `wishlists`
|
'UPDATE `wishlists`
|
||||||
|
@ -240,6 +248,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
||||||
case 'DELETE':
|
case 'DELETE':
|
||||||
$_DELETE = $this->input;
|
$_DELETE = $this->input;
|
||||||
|
|
||||||
|
if (!$user->ownsWishlist()) {
|
||||||
|
\http_response_code(403);
|
||||||
|
|
||||||
|
die(__('You may only delete wishlists you own.'));
|
||||||
|
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
$database->query(
|
$database->query(
|
||||||
'DELETE FROM `wishlists`
|
'DELETE FROM `wishlists`
|
||||||
WHERE `id` = :wishlist_id;',
|
WHERE `id` = :wishlist_id;',
|
||||||
|
|
Loading…
Reference in a new issue