poignatov/play-life
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

4.2.2: Исправлена проверка доступа к желанию
All checks were successful
Build and Push Docker Image / build-and-push (push) Successful in 1m28s
Details

Browse Source
This commit is contained in:
poignatov
2026-01-29 16:00:17 +03:00
parent 4e270cb322
commit 5c5fc07481
3 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@@ -1 +1 @@
4.2.1 4.2.2

30
play-life-backend/main.go
View File

@@ -7093,14 +7093,16 @@ func (a *App) createTaskHandler(w http.ResponseWriter, r *http.Request) {
} }
} }
// Валидация wishlist_id: если указан, проверяем что желание существует и принадлежит пользователю // Валидация wishlist_id: если указан, проверяем что желание существует и пользователь имеет доступ
var wishlistName string var wishlistName string
if req.WishlistID != nil { if req.WishlistID != nil {
var wishlistOwnerID int var wishlistOwnerID int
var authorID sql.NullInt64
var boardID sql.NullInt64
err := a.DB.QueryRow(` err := a.DB.QueryRow(`
SELECT user_id, name FROM wishlist_items SELECT user_id, name, author_id, board_id FROM wishlist_items
WHERE id = $1 AND deleted = FALSE WHERE id = $1 AND deleted = FALSE
`, *req.WishlistID).Scan(&wishlistOwnerID, &wishlistName) `, *req.WishlistID).Scan(&wishlistOwnerID, &wishlistName, &authorID, &boardID)
if err == sql.ErrNoRows { if err == sql.ErrNoRows {
sendErrorWithCORS(w, "Wishlist item not found", http.StatusBadRequest) sendErrorWithCORS(w, "Wishlist item not found", http.StatusBadRequest)
@@ -7112,7 +7114,27 @@ func (a *App) createTaskHandler(w http.ResponseWriter, r *http.Request) {
return return
} }
if wishlistOwnerID != userID { hasAccess := wishlistOwnerID == userID
// Проверяем, является ли пользователь автором желания
if !hasAccess && authorID.Valid && authorID.Int64 == int64(userID) {
hasAccess = true
}
// Проверяем доступ к доске, если желание принадлежит доске
if !hasAccess && boardID.Valid {
var boardOwnerID int
err := a.DB.QueryRow(`SELECT owner_id FROM wishlist_boards WHERE id = $1 AND deleted = FALSE`, boardID.Int64).Scan(&boardOwnerID)
if err == nil && boardOwnerID == userID {
hasAccess = true
} else if err == nil {
var isMember bool
a.DB.QueryRow(`SELECT EXISTS(SELECT 1 FROM wishlist_board_members WHERE board_id = $1 AND user_id = $2)`, boardID.Int64, userID).Scan(&isMember)
if isMember {
hasAccess = true
}
}
}
if !hasAccess {
sendErrorWithCORS(w, "Wishlist item not found", http.StatusNotFound) sendErrorWithCORS(w, "Wishlist item not found", http.StatusNotFound)
return return
} }

2
play-life-web/package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "play-life-web", "name": "play-life-web",
"version": "4.2.1", "version": "4.2.2",
"type": "module", "type": "module",
"scripts": { "scripts": {
"dev": "vite", "dev": "vite",