Merge pull request #139 from BitBagCommerce/OPSRC-588/Security_fix_fo…

…r_access_to_wishlist add validation if user isn't an owner of the wishlist
BitBagCommerce · Jun 29, 2022 · d33d865 · d33d865
2 parents ac69ec8 + bb8a671
commit d33d865
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/src/Controller/Action/ShowChosenWishlistAction.php b/src/Controller/Action/ShowChosenWishlistAction.php
@@ -14,6 +14,7 @@
 use BitBag\SyliusWishlistPlugin\Form\Type\WishlistCollectionType;
 use BitBag\SyliusWishlistPlugin\Processor\WishlistCommandProcessorInterface;
 use BitBag\SyliusWishlistPlugin\Repository\WishlistRepositoryInterface;
+use BitBag\SyliusWishlistPlugin\Resolver\WishlistCookieTokenResolverInterface;
 use Sylius\Component\Order\Context\CartContextInterface;
 use Symfony\Component\Form\FormFactoryInterface;
 use Symfony\Component\Form\FormInterface;
@@ -37,28 +38,33 @@ final class ShowChosenWishlistAction
 
     private UrlGeneratorInterface $urlGenerator;
 
+    private WishlistCookieTokenResolverInterface $wishlistCookieTokenResolver;
+
     public function __construct(
         WishlistRepositoryInterface $wishlistRepository,
         CartContextInterface $cartContext,
         FormFactoryInterface $formFactory,
         Environment $twigEnvironment,
         WishlistCommandProcessorInterface $wishlistCommandProcessor,
-        UrlGeneratorInterface $urlGenerator
+        UrlGeneratorInterface $urlGenerator,
+        WishlistCookieTokenResolverInterface $wishlistCookieTokenResolver
     ) {
         $this->wishlistRepository = $wishlistRepository;
         $this->cartContext = $cartContext;
         $this->formFactory = $formFactory;
         $this->twigEnvironment = $twigEnvironment;
         $this->wishlistCommandProcessor = $wishlistCommandProcessor;
         $this->urlGenerator = $urlGenerator;
+        $this->wishlistCookieTokenResolver = $wishlistCookieTokenResolver;
     }
 
     public function __invoke(string $wishlistId, Request $request): Response
     {
         /** @var WishlistInterface $wishlist */
         $wishlist = $this->wishlistRepository->find((int)$wishlistId);
+        $wishlistCookieToken = $this->wishlistCookieTokenResolver->resolve();
 
-        if ($wishlist instanceof WishlistInterface) {
+        if ($wishlist instanceof WishlistInterface && $wishlist->getToken() === $wishlistCookieToken) {
             $form = $this->createForm($wishlist);
             return new Response(
                 $this->twigEnvironment->render('@BitBagSyliusWishlistPlugin/WishlistDetails/index.html.twig', [

diff --git a/src/Resources/config/services.yml b/src/Resources/config/services.yml
@@ -293,6 +293,7 @@ services:
             - "@twig"
             - "@bitbag_sylius_wishlist_plugin.processor.wishlist_command_processor"
             - "@router.default"
+            - "@bitbag_sylius_wishlist_plugin.resolver.wishlist_cookie_token_resolver"
         tags:
             - { name: controller.service_arguments }