fix: stop giving reservers edit access when they save a wishlist

2025-11-25 19:30:15 +01:00
parent 064f864bdb
commit 32236b99d6
4 changed files with 20 additions and 2 deletions
--- a/src/lib/server/schema.ts
+++ b/src/lib/server/schema.ts
@@ -134,6 +134,7 @@ export const savedWishlists = pgTable('saved_wishlists', {
 	wishlistId: text('wishlist_id')
 		.notNull()
 		.references(() => wishlists.id, { onDelete: 'cascade' }),
+	ownerToken: text('owner_token'), // Stores the owner token if user has edit access (claimed via edit link)
 	isFavorite: boolean('is_favorite').default(false).notNull(),
 	createdAt: timestamp('created_at').defaultNow().notNull()
 });
--- a/src/routes/dashboard/+page.server.ts
+++ b/src/routes/dashboard/+page.server.ts
@@ -37,10 +37,23 @@ export const load: PageServerLoad = async (event) => {
 		orderBy: (savedWishlists, { desc }) => [desc(savedWishlists.createdAt)]
 	});

+	// Map saved wishlists to include ownerToken from savedWishlists table (not from wishlist)
+	// This ensures users only see ownerToken if they claimed via edit link
+	const savedWithAccess = saved.map(s => ({
+		...s,
+		wishlist: s.wishlist ? {
+			...s.wishlist,
+			// Override ownerToken: use the one stored in savedWishlists (which is null for public saves)
+			ownerToken: s.ownerToken,
+			// Keep publicToken as-is for viewing
+			publicToken: s.wishlist.publicToken
+		} : null
+	}));
+
 	return {
 		user: session.user,
 		wishlists: userWishlists,
-		savedWishlists: saved
+		savedWishlists: savedWithAccess
 	};
 };

--- a/src/routes/wishlist/[token]/+page.server.ts
+++ b/src/routes/wishlist/[token]/+page.server.ts
@@ -122,9 +122,11 @@ export const actions: Actions = {
 			return { success: false, error: 'Wishlist already saved' };
 		}

+		// Save without ownerToken - user is accessing via public link, so no edit access
 		await db.insert(savedWishlists).values({
 			userId: session.user.id,
-			wishlistId
+			wishlistId,
+			ownerToken: null // Explicitly set to null - no edit access from reservation view
 		});

 		return { success: true };
--- a/src/routes/wishlist/[token]/edit/+page.server.ts
+++ b/src/routes/wishlist/[token]/edit/+page.server.ts
@@ -271,9 +271,11 @@ export const actions: Actions = {
 			return { success: true, message: 'Already claimed' };
 		}

+		// Store the ownerToken - user is accessing via edit link, so they get edit access
 		await db.insert(savedWishlists).values({
 			userId: session.user.id,
 			wishlistId: wishlist.id,
+			ownerToken: wishlist.ownerToken, // Store ownerToken to grant edit access
 			isFavorite: false
 		});