From 32236b99d65db1d6e352a4f40918395d980d63dd Mon Sep 17 00:00:00 2001
From: rasmusq <rasmus@rasmusq.com>
Date: Tue, 25 Nov 2025 19:30:15 +0100
Subject: [PATCH] fix: stop giving reservers edit access when they save a
 wishlist

---
 src/lib/server/schema.ts                         |  1 +
 src/routes/dashboard/+page.server.ts             | 15 ++++++++++++++-
 src/routes/wishlist/[token]/+page.server.ts      |  4 +++-
 src/routes/wishlist/[token]/edit/+page.server.ts |  2 ++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/lib/server/schema.ts b/src/lib/server/schema.ts
index 08a7479..e64d077 100644
--- a/src/lib/server/schema.ts
+++ b/src/lib/server/schema.ts
@@ -134,6 +134,7 @@ export const savedWishlists = pgTable('saved_wishlists', {
 	wishlistId: text('wishlist_id')
 		.notNull()
 		.references(() => wishlists.id, { onDelete: 'cascade' }),
+	ownerToken: text('owner_token'), // Stores the owner token if user has edit access (claimed via edit link)
 	isFavorite: boolean('is_favorite').default(false).notNull(),
 	createdAt: timestamp('created_at').defaultNow().notNull()
 });
diff --git a/src/routes/dashboard/+page.server.ts b/src/routes/dashboard/+page.server.ts
index 59c50aa..cb730ce 100644
--- a/src/routes/dashboard/+page.server.ts
+++ b/src/routes/dashboard/+page.server.ts
@@ -37,10 +37,23 @@ export const load: PageServerLoad = async (event) => {
 		orderBy: (savedWishlists, { desc }) => [desc(savedWishlists.createdAt)]
 	});
 
+	// Map saved wishlists to include ownerToken from savedWishlists table (not from wishlist)
+	// This ensures users only see ownerToken if they claimed via edit link
+	const savedWithAccess = saved.map(s => ({
+		...s,
+		wishlist: s.wishlist ? {
+			...s.wishlist,
+			// Override ownerToken: use the one stored in savedWishlists (which is null for public saves)
+			ownerToken: s.ownerToken,
+			// Keep publicToken as-is for viewing
+			publicToken: s.wishlist.publicToken
+		} : null
+	}));
+
 	return {
 		user: session.user,
 		wishlists: userWishlists,
-		savedWishlists: saved
+		savedWishlists: savedWithAccess
 	};
 };
 
diff --git a/src/routes/wishlist/[token]/+page.server.ts b/src/routes/wishlist/[token]/+page.server.ts
index b77c7c1..c06b239 100644
--- a/src/routes/wishlist/[token]/+page.server.ts
+++ b/src/routes/wishlist/[token]/+page.server.ts
@@ -122,9 +122,11 @@ export const actions: Actions = {
 			return { success: false, error: 'Wishlist already saved' };
 		}
 
+		// Save without ownerToken - user is accessing via public link, so no edit access
 		await db.insert(savedWishlists).values({
 			userId: session.user.id,
-			wishlistId
+			wishlistId,
+			ownerToken: null // Explicitly set to null - no edit access from reservation view
 		});
 
 		return { success: true };
diff --git a/src/routes/wishlist/[token]/edit/+page.server.ts b/src/routes/wishlist/[token]/edit/+page.server.ts
index 31a8bda..6e2bd07 100644
--- a/src/routes/wishlist/[token]/edit/+page.server.ts
+++ b/src/routes/wishlist/[token]/edit/+page.server.ts
@@ -271,9 +271,11 @@ export const actions: Actions = {
 			return { success: true, message: 'Already claimed' };
 		}
 
+		// Store the ownerToken - user is accessing via edit link, so they get edit access
 		await db.insert(savedWishlists).values({
 			userId: session.user.id,
 			wishlistId: wishlist.id,
+			ownerToken: wishlist.ownerToken, // Store ownerToken to grant edit access
 			isFavorite: false
 		});