Add list-owner enforcement for managing list items from the front-end

engram-design · engram-design · commit d1092da7c0ef · 2025-09-12T08:19:24.000+10:00
diff --git a/src/controllers/BaseController.php b/src/controllers/BaseController.php
@@ -2,13 +2,15 @@
 namespace verbb\wishlist\controllers;
 
 use verbb\wishlist\Wishlist;
+use verbb\wishlist\elements\ListElement;
 use verbb\wishlist\models\Settings;
 
 use Craft;
 use craft\helpers\StringHelper;
 use craft\web\Controller;
 
 use yii\web\ForbiddenHttpException;
+use yii\web\HttpException;
 use yii\web\Response;
 
 class BaseController extends Controller
@@ -27,6 +29,44 @@ protected function enforceEnabledList($list): void
         }
     }
 
+    protected function enforceListPermissions(ListElement $list, bool $enforceOwner = true): void
+    {
+        if (!$list->getType()) {
+            Craft::error('Attempting to access a list that doesn’t have a type', __METHOD__);
+            throw new HttpException(404);
+        }
+
+        // If this is a front-end request, ensure that it's the owner of the list making changes
+        if ($enforceOwner) {
+            if (Craft::$app->getRequest()->getIsSiteRequest()) {
+                $currentUser = Craft::$app->getUser()->getIdentity();
+
+                // If an admin, assume they have permission to edit another list
+                if (Craft::$app->getUser()->getIsAdmin()) {
+                    return;
+                }
+
+                // If logged in, easy check
+                if ($currentUser) {
+                    if ($currentUser->id !== $list->userId) {
+                        throw new HttpException(403);
+                    }
+
+                    return;
+                }
+
+                if ($list->sessionId !== Craft::$app->getSession()->get('wishlist_list')) {
+                    // Check if the guests session matches the lists
+                    throw new HttpException(403);
+                }
+
+                return;
+            }
+            
+            $this->requirePermission('wishlist-manageListType:' . $list->getType()->uid);
+        }
+    }
+
     protected function returnSuccess($message, $params = [], $object = null): Response
     {
         $request = Craft::$app->getRequest();
diff --git a/src/controllers/ItemsController.php b/src/controllers/ItemsController.php
@@ -187,6 +187,7 @@ public function actionAdd(): ?Response
 
             // Check if we're allowed to manage lists
             $this->enforceEnabledList($item->getList());
+            $this->enforceListPermissions($item->getList());
 
             // Set any additional options on the item
             $options = $postItem['options'] ?? [];
@@ -252,6 +253,7 @@ public function actionRemove(): ?Response
 
         // Check if we're allowed to manage lists
         $this->enforceEnabledList($list);
+        $this->enforceListPermissions($list);
 
         $errors = [];
 
@@ -348,6 +350,7 @@ public function actionToggle(): ?Response
 
         // Check if we're allowed to manage lists
         $this->enforceEnabledList($list);
+        $this->enforceListPermissions($list);
 
         $errors = [];
 
@@ -457,6 +460,7 @@ public function actionUpdate(): ?Response
 
         // Check if we're allowed to manage lists
         $this->enforceEnabledList($item->getList());
+        $this->enforceListPermissions($item->getList());
 
         $item->setFieldValuesFromRequest('fields');
 
diff --git a/src/controllers/ListsController.php b/src/controllers/ListsController.php
@@ -492,48 +492,6 @@ public function actionShareByEmail(): ?Response
     }
 
 
-    // Protected Methods
-    // =========================================================================
-
-    protected function enforceListPermissions(ListElement $list, bool $enforceOwner = true): void
-    {
-        if (!$list->getType()) {
-            Craft::error('Attempting to access a list that doesn’t have a type', __METHOD__);
-            throw new HttpException(404);
-        }
-
-        // If this is a front-end request, ensure that it's the owner of the list making changes
-        if ($enforceOwner) {
-            if (Craft::$app->getRequest()->getIsSiteRequest()) {
-                $currentUser = Craft::$app->getUser()->getIdentity();
-
-                // If an admin, assume they have permission to edit another list
-                if (Craft::$app->getUser()->getIsAdmin()) {
-                    return;
-                }
-
-                // If logged in, easy check
-                if ($currentUser) {
-                    if ($currentUser->id !== $list->userId) {
-                        throw new HttpException(403);
-                    }
-
-                    return;
-                }
-
-                if ($list->sessionId !== Craft::$app->getSession()->get('wishlist_list')) {
-                    // Check if the guests session matches the lists
-                    throw new HttpException(403);
-                }
-
-                return;
-            }
-            
-            $this->requirePermission('wishlist-manageListType:' . $list->getType()->uid);
-        }
-    }
-
-
     // Private Methods
     // =========================================================================
 
