fureunoir/schon
fureunoir/schon
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fixes: 1) Ensure Wishlist object query includes user constraint to prevent unauthorized access;

Browse source 
Extra: None;
This commit is contained in:
Egor Pavlovich Gorbunov 2025-07-06 16:25:28 +03:00
parent d3dd23d99f
commit 41dd02147c
1 changed files with 1 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
core/graphene/mutations.py
View file

@ -299,10 +299,7 @@ class BulkWishlistAction(BaseMutation):
raise BadRequest(_("please provide wishlist_uuid value")) raise BadRequest(_("please provide wishlist_uuid value"))
user = info.context.user user = info.context.user
try: try:
wishlist = Wishlist.objects.get(uuid=wishlist_uuid) wishlist = Wishlist.objects.get(user=user, uuid=wishlist_uuid)
if user != wishlist.user or not user.has_perm("core.change_wishlist"):
raise PermissionDenied(permission_denied_message)
# noinspection PyUnreachableCode # noinspection PyUnreachableCode
match action: match action: