Fixes: 1) Ensure Wishlist object query includes user constraint to prevent unauthorized access;

Extra: None;
2025-07-06 16:25:28 +03:00 · 2025-07-06 16:25:28 +03:00 · 41dd02147c
commit 41dd02147c
parent d3dd23d99f
1 changed files with 1 additions and 4 deletions
--- a/core/graphene/mutations.py
+++ b/core/graphene/mutations.py
@ -299,10 +299,7 @@ class BulkWishlistAction(BaseMutation):
            raise BadRequest(_("please provide wishlist_uuid value"))
        user = info.context.user
        try:
-            wishlist = Wishlist.objects.get(uuid=wishlist_uuid)
-
-            if user != wishlist.user or not user.has_perm("core.change_wishlist"):
-                raise PermissionDenied(permission_denied_message)
+            wishlist = Wishlist.objects.get(user=user, uuid=wishlist_uuid)

            # noinspection PyUnreachableCode
            match action: