fix: stop giving reservers edit access when they save a wishlist

2025-11-25 19:30:15 +01:00
parent 064f864bdb
commit 32236b99d6
4 changed files with 20 additions and 2 deletions
--- a/src/routes/dashboard/+page.server.ts
+++ b/src/routes/dashboard/+page.server.ts
@@ -37,10 +37,23 @@ export const load: PageServerLoad = async (event) => {
 		orderBy: (savedWishlists, { desc }) => [desc(savedWishlists.createdAt)]
 	});

+	// Map saved wishlists to include ownerToken from savedWishlists table (not from wishlist)
+	// This ensures users only see ownerToken if they claimed via edit link
+	const savedWithAccess = saved.map(s => ({
+		...s,
+		wishlist: s.wishlist ? {
+			...s.wishlist,
+			// Override ownerToken: use the one stored in savedWishlists (which is null for public saves)
+			ownerToken: s.ownerToken,
+			// Keep publicToken as-is for viewing
+			publicToken: s.wishlist.publicToken
+		} : null
+	}));
+
 	return {
 		user: session.user,
 		wishlists: userWishlists,
-		savedWishlists: saved
+		savedWishlists: savedWithAccess
 	};
 };