fix: api authentication bypasses
This commit is contained in:
parent
d60c2ff432
commit
ed45d182d1
2 changed files with 29 additions and 3 deletions
|
@ -27,13 +27,23 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
|||
|
||||
case 'POST':
|
||||
if (isset($_POST['wishlist'])) {
|
||||
if (!$user->isLoggedIn()) {
|
||||
http_response_code(403);
|
||||
die(__('You must be logged in to save or delete a saved wishlist.'));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$wishlist = $database
|
||||
->query(
|
||||
'SELECT *
|
||||
FROM `wishlists_saved`
|
||||
WHERE `wishlist` = :wishlist_id',
|
||||
FROM `wishlists_saved`
|
||||
LEFT OUTER JOIN `wishlists` ON `wishlists`.`id` = `wishlists_saved`.`wishlist`
|
||||
WHERE `wishlists_saved`.`user` = :user_id
|
||||
AND `wishlist` = :wishlist_id;',
|
||||
array(
|
||||
'wishlist_id' => Sanitiser::getNumber($_POST['wishlist'])
|
||||
'wishlist_id' => Sanitiser::getNumber($_POST['wishlist']),
|
||||
'user_id' => $user->getId()
|
||||
)
|
||||
)
|
||||
->fetch();
|
||||
|
|
|
@ -223,6 +223,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
|||
case 'PUT':
|
||||
$_PUT = $this->input;
|
||||
|
||||
if (!$user->ownsWishlist()) {
|
||||
\http_response_code(403);
|
||||
|
||||
die(__('You may only modify wishlists you own.'));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$database
|
||||
->query(
|
||||
'UPDATE `wishlists`
|
||||
|
@ -240,6 +248,14 @@ switch ($_SERVER['REQUEST_METHOD']) {
|
|||
case 'DELETE':
|
||||
$_DELETE = $this->input;
|
||||
|
||||
if (!$user->ownsWishlist()) {
|
||||
\http_response_code(403);
|
||||
|
||||
die(__('You may only delete wishlists you own.'));
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
$database->query(
|
||||
'DELETE FROM `wishlists`
|
||||
WHERE `id` = :wishlist_id;',
|
||||
|
|
Loading…
Reference in a new issue