fix: api authentication bypasses

This commit is contained in:
Niklas Bittner 2024-02-25 22:26:31 +01:00 committed by Jay Trees
parent d60c2ff432
commit ed45d182d1
2 changed files with 29 additions and 3 deletions

View file

@ -27,13 +27,23 @@ switch ($_SERVER['REQUEST_METHOD']) {
case 'POST': case 'POST':
if (isset($_POST['wishlist'])) { if (isset($_POST['wishlist'])) {
if (!$user->isLoggedIn()) {
http_response_code(403);
die(__('You must be logged in to save or delete a saved wishlist.'));
return;
}
$wishlist = $database $wishlist = $database
->query( ->query(
'SELECT * 'SELECT *
FROM `wishlists_saved` FROM `wishlists_saved`
WHERE `wishlist` = :wishlist_id', LEFT OUTER JOIN `wishlists` ON `wishlists`.`id` = `wishlists_saved`.`wishlist`
WHERE `wishlists_saved`.`user` = :user_id
AND `wishlist` = :wishlist_id;',
array( array(
'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']) 'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']),
'user_id' => $user->getId()
) )
) )
->fetch(); ->fetch();

View file

@ -223,6 +223,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
case 'PUT': case 'PUT':
$_PUT = $this->input; $_PUT = $this->input;
if (!$user->ownsWishlist()) {
\http_response_code(403);
die(__('You may only modify wishlists you own.'));
return;
}
$database $database
->query( ->query(
'UPDATE `wishlists` 'UPDATE `wishlists`
@ -240,6 +248,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
case 'DELETE': case 'DELETE':
$_DELETE = $this->input; $_DELETE = $this->input;
if (!$user->ownsWishlist()) {
\http_response_code(403);
die(__('You may only delete wishlists you own.'));
return;
}
$database->query( $database->query(
'DELETE FROM `wishlists` 'DELETE FROM `wishlists`
WHERE `id` = :wishlist_id;', WHERE `id` = :wishlist_id;',