From 41dd02147c7c0dddb34f605dbd80d2404f377002 Mon Sep 17 00:00:00 2001
From: Egor fureunoir Gorbunov <contact@fureunoir.com>
Date: Sun, 6 Jul 2025 16:25:28 +0300
Subject: [PATCH] Fixes: 1) Ensure `Wishlist` object query includes user
 constraint to prevent unauthorized access;

Extra: None;
---
 core/graphene/mutations.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/core/graphene/mutations.py b/core/graphene/mutations.py
index a75211da..dca6bda3 100644
--- a/core/graphene/mutations.py
+++ b/core/graphene/mutations.py
@@ -299,10 +299,7 @@ class BulkWishlistAction(BaseMutation):
             raise BadRequest(_("please provide wishlist_uuid value"))
         user = info.context.user
         try:
-            wishlist = Wishlist.objects.get(uuid=wishlist_uuid)
-
-            if user != wishlist.user or not user.has_perm("core.change_wishlist"):
-                raise PermissionDenied(permission_denied_message)
+            wishlist = Wishlist.objects.get(user=user, uuid=wishlist_uuid)
 
             # noinspection PyUnreachableCode
             match action: