From 5c5fc07481639a1dd4a0deccff90c1ee89c5a5c1 Mon Sep 17 00:00:00 2001
From: poignatov <poignatov@avito.ru>
Date: Thu, 29 Jan 2026 16:00:17 +0300
Subject: [PATCH] =?UTF-8?q?4.2.2:=20=D0=98=D1=81=D0=BF=D1=80=D0=B0=D0=B2?=
 =?UTF-8?q?=D0=BB=D0=B5=D0=BD=D0=B0=20=D0=BF=D1=80=D0=BE=D0=B2=D0=B5=D1=80?=
 =?UTF-8?q?=D0=BA=D0=B0=20=D0=B4=D0=BE=D1=81=D1=82=D1=83=D0=BF=D0=B0=20?=
 =?UTF-8?q?=D0=BA=20=D0=B6=D0=B5=D0=BB=D0=B0=D0=BD=D0=B8=D1=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 VERSION                    |  2 +-
 play-life-backend/main.go  | 30 ++++++++++++++++++++++++++----
 play-life-web/package.json |  2 +-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/VERSION b/VERSION
index fae6e3d..af8c8ec 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.2.1
+4.2.2
diff --git a/play-life-backend/main.go b/play-life-backend/main.go
index af2b457..73b0255 100644
--- a/play-life-backend/main.go
+++ b/play-life-backend/main.go
@@ -7093,14 +7093,16 @@ func (a *App) createTaskHandler(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	// Валидация wishlist_id: если указан, проверяем что желание существует и принадлежит пользователю
+	// Валидация wishlist_id: если указан, проверяем что желание существует и пользователь имеет доступ
 	var wishlistName string
 	if req.WishlistID != nil {
 		var wishlistOwnerID int
+		var authorID sql.NullInt64
+		var boardID sql.NullInt64
 		err := a.DB.QueryRow(`
-			SELECT user_id, name FROM wishlist_items 
+			SELECT user_id, name, author_id, board_id FROM wishlist_items 
 			WHERE id = $1 AND deleted = FALSE
-		`, *req.WishlistID).Scan(&wishlistOwnerID, &wishlistName)
+		`, *req.WishlistID).Scan(&wishlistOwnerID, &wishlistName, &authorID, &boardID)
 
 		if err == sql.ErrNoRows {
 			sendErrorWithCORS(w, "Wishlist item not found", http.StatusBadRequest)
@@ -7112,7 +7114,27 @@ func (a *App) createTaskHandler(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		if wishlistOwnerID != userID {
+		hasAccess := wishlistOwnerID == userID
+		// Проверяем, является ли пользователь автором желания
+		if !hasAccess && authorID.Valid && authorID.Int64 == int64(userID) {
+			hasAccess = true
+		}
+		// Проверяем доступ к доске, если желание принадлежит доске
+		if !hasAccess && boardID.Valid {
+			var boardOwnerID int
+			err := a.DB.QueryRow(`SELECT owner_id FROM wishlist_boards WHERE id = $1 AND deleted = FALSE`, boardID.Int64).Scan(&boardOwnerID)
+			if err == nil && boardOwnerID == userID {
+				hasAccess = true
+			} else if err == nil {
+				var isMember bool
+				a.DB.QueryRow(`SELECT EXISTS(SELECT 1 FROM wishlist_board_members WHERE board_id = $1 AND user_id = $2)`, boardID.Int64, userID).Scan(&isMember)
+				if isMember {
+					hasAccess = true
+				}
+			}
+		}
+
+		if !hasAccess {
 			sendErrorWithCORS(w, "Wishlist item not found", http.StatusNotFound)
 			return
 		}
diff --git a/play-life-web/package.json b/play-life-web/package.json
index 90b833d..b13250a 100644
--- a/play-life-web/package.json
+++ b/play-life-web/package.json
@@ -1,6 +1,6 @@
 {
   "name": "play-life-web",
-  "version": "4.2.1",
+  "version": "4.2.2",
   "type": "module",
   "scripts": {
     "dev": "vite",