rasmusq/wishlist
Public Access
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: stop giving reservers edit access when they save a wishlist

Browse Source
This commit is contained in:
rasmusq
2025-11-25 19:30:15 +01:00
parent 064f864bdb
commit 32236b99d6
4 changed files with 20 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/lib/server/schema.ts
View File

@@ -134,6 +134,7 @@ export const savedWishlists = pgTable('saved_wishlists', {
wishlistId: text('wishlist_id') wishlistId: text('wishlist_id')
.notNull() .notNull()
.references(() => wishlists.id, { onDelete: 'cascade' }), .references(() => wishlists.id, { onDelete: 'cascade' }),
ownerToken: text('owner_token'), // Stores the owner token if user has edit access (claimed via edit link)
isFavorite: boolean('is_favorite').default(false).notNull(), isFavorite: boolean('is_favorite').default(false).notNull(),
createdAt: timestamp('created_at').defaultNow().notNull() createdAt: timestamp('created_at').defaultNow().notNull()
}); });

15
src/routes/dashboard/+page.server.ts
View File

@@ -37,10 +37,23 @@ export const load: PageServerLoad = async (event) => {
orderBy: (savedWishlists, { desc }) => [desc(savedWishlists.createdAt)] orderBy: (savedWishlists, { desc }) => [desc(savedWishlists.createdAt)]
}); });
// Map saved wishlists to include ownerToken from savedWishlists table (not from wishlist)
// This ensures users only see ownerToken if they claimed via edit link
const savedWithAccess = saved.map(s => ({
...s,
wishlist: s.wishlist ? {
...s.wishlist,
// Override ownerToken: use the one stored in savedWishlists (which is null for public saves)
ownerToken: s.ownerToken,
// Keep publicToken as-is for viewing
publicToken: s.wishlist.publicToken
} : null
}));
return { return {
user: session.user, user: session.user,
wishlists: userWishlists, wishlists: userWishlists,
savedWishlists: saved savedWishlists: savedWithAccess
}; };
}; };

4
src/routes/wishlist/[token]/+page.server.ts
View File

@@ -122,9 +122,11 @@ export const actions: Actions = {
return { success: false, error: 'Wishlist already saved' }; return { success: false, error: 'Wishlist already saved' };
} }
// Save without ownerToken - user is accessing via public link, so no edit access
await db.insert(savedWishlists).values({ await db.insert(savedWishlists).values({
userId: session.user.id, userId: session.user.id,
wishlistId wishlistId,
ownerToken: null // Explicitly set to null - no edit access from reservation view
}); });
return { success: true }; return { success: true };

2
src/routes/wishlist/[token]/edit/+page.server.ts
View File

@@ -271,9 +271,11 @@ export const actions: Actions = {
return { success: true, message: 'Already claimed' }; return { success: true, message: 'Already claimed' };
} }
// Store the ownerToken - user is accessing via edit link, so they get edit access
await db.insert(savedWishlists).values({ await db.insert(savedWishlists).values({
userId: session.user.id, userId: session.user.id,
wishlistId: wishlist.id, wishlistId: wishlist.id,
ownerToken: wishlist.ownerToken, // Store ownerToken to grant edit access
isFavorite: false isFavorite: false
}); });