Merge branch 'craft-4' of https://github.com/verbb/wishlist into craft-5

# Conflicts:
#	CHANGELOG.md
#	composer.json
#	src/controllers/BaseController.php
#	src/controllers/ItemsController.php

Author: engram-design

CHANGELOG.md

@@ -115,6 +115,11 @@
 ### Deprecated
 - Deprecated `craft.wishlist.item()`. Use `craft.wishlist.items(params)` to find items, or `craft.wishlist.addItemUrl/toggleItemUrl/removeItemUrl` to manage items.
 
+## 2.0.17 - 2025-09-12
+
+### Added
+- Add list-owner enforcement for managing list items from the front-end.
+
 ## 2.0.16 - 2025-07-18
 
 ### Changed

src/controllers/BaseController.php

@@ -10,6 +10,7 @@
 use craft\web\Controller;
 
 use yii\web\ForbiddenHttpException;
+use yii\web\HttpException;
 use yii\web\Response;
 
 class BaseController extends Controller
@@ -28,6 +29,44 @@ protected function enforceEnabledList(?ListElement $list): void
         }
     }
 
+    protected function enforceListPermissions(ListElement $list, bool $enforceOwner = true): void
+    {
+        if (!$list->getType()) {
+            Craft::error('Attempting to access a list that doesn’t have a type', __METHOD__);
+            throw new HttpException(404);
+        }
+
+        // If this is a front-end request, ensure that it's the owner of the list making changes
+        if ($enforceOwner) {
+            if (Craft::$app->getRequest()->getIsSiteRequest()) {
+                $currentUser = Craft::$app->getUser()->getIdentity();
+
+                // If an admin, assume they have permission to edit another list
+                if (Craft::$app->getUser()->getIsAdmin()) {
+                    return;
+                }
+
+                // If logged in, easy check
+                if ($currentUser) {
+                    if ($currentUser->id !== $list->userId) {
+                        throw new HttpException(403);
+                    }
+
+                    return;
+                }
+
+                if ($list->sessionId !== Craft::$app->getSession()->get('wishlist_list')) {
+                    // Check if the guests session matches the lists
+                    throw new HttpException(403);
+                }
+
+                return;
+            }
+            
+            $this->requirePermission('wishlist-manageListType:' . $list->getType()->uid);
+        }
+    }
+
     protected function returnSuccess(string $message, array $params = [], ?object $object = null): Response
     {
         // Try and determine the action automatically

src/controllers/ItemsController.php

@@ -177,6 +177,9 @@ public function actionAdd(): ?Response
                     continue;
                 }
 
+                // Check if we're allowed to manage lists
+                $this->enforceListPermissions($list);
+
                 // Create the item for the list and element, with additional attributes
                 $item = $this->_getOrCreateItem($list, $element, $postItem);
 
@@ -246,6 +249,9 @@ public function actionToggle(): ?Response
                     continue;
                 }
 
+                // Check if we're allowed to manage lists
+                $this->enforceListPermissions($list);
+
                 // Create the item for the list and element, with additional attributes
                 $item = $this->_getOrCreateItem($list, $element, $postItem);
 
@@ -312,6 +318,9 @@ public function actionRemove(): ?Response
                     continue;
                 }
 
+                // Check if we're allowed to manage lists
+                $this->enforceListPermissions($list);
+
                 // Create the item for the list and element, with additional attributes
                 $item = $this->_getOrCreateItem($list, $element, $postItem);
 
@@ -373,6 +382,7 @@ public function actionUpdate(): ?Response
 
             // Check if we're allowed to manage lists
             $this->enforceEnabledList($item->getList());
+            $this->enforceListPermissions($item->getList());
 
             $item->setFieldValues($fields);
             $item->setOptions($options);
@@ -539,6 +549,7 @@ private function _getOrCreateLists(array $postItem): array
 
             // Check if we're allowed to manage lists
             $this->enforceEnabledList($list);
+            $this->enforceListPermissions($list);
 
             $lists[] = $list;
         }

src/controllers/ListsController.php

@@ -626,48 +626,6 @@ public function actionDuplicateList(): ?Response
     }
 
 
-    // Protected Methods
-    // =========================================================================
-
-    protected function enforceListPermissions(ListElement $list, bool $enforceOwner = true): void
-    {
-        if (!$list->getType()) {
-            Craft::error('Attempting to access a list that doesn’t have a type', __METHOD__);
-            throw new HttpException(404);
-        }
-
-        // If this is a front-end request, ensure that it's the owner of the list making changes
-        if ($enforceOwner) {
-            if (Craft::$app->getRequest()->getIsSiteRequest()) {
-                $currentUser = Craft::$app->getUser()->getIdentity();
-
-                // If an admin, assume they have permission to edit another list
-                if (Craft::$app->getUser()->getIsAdmin()) {
-                    return;
-                }
-
-                // If logged in, easy check
-                if ($currentUser) {
-                    if ($currentUser->id !== $list->userId) {
-                        throw new HttpException(403);
-                    }
-
-                    return;
-                }
-
-                if ($list->sessionId !== Craft::$app->getSession()->get('wishlist_list')) {
-                    // Check if the guests session matches the lists
-                    throw new HttpException(403);
-                }
-
-                return;
-            }
-            
-            $this->requirePermission('wishlist-manageListType:' . $list->getType()->uid);
-        }
-    }
-
-
     // Private Methods
     // =========================================================================