From 7c1911fcd964b9fbf08901f60af4394d303d5990 Mon Sep 17 00:00:00 2001
From: thisfro <jannis@thisfro.ch>
Date: Sat, 15 May 2021 10:38:17 +0200
Subject: [PATCH] Deny permission for removing wishes

---
 src/Controller/UserController.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/Controller/UserController.php b/src/Controller/UserController.php
index 604b361..a019f5a 100644
--- a/src/Controller/UserController.php
+++ b/src/Controller/UserController.php
@@ -13,6 +13,7 @@ use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\HttpException;
 use Symfony\Component\Routing\Annotation\Route;
 use Twig\Environment;
 
@@ -91,11 +92,17 @@ class UserController extends AbstractController
     #[Route('/wish/delete/{id}', name: 'delete_wish')]
     public function deleteWish(Wish $wish): Response
     {
-        $this->entityManager->remove($wish);
-        $this->entityManager->flush();
+        $user = $this->getUser();
+        if ($wish->getByUser() === $user)
+        {
+            $this->entityManager->remove($wish);
+            $this->entityManager->flush();
 
-        $this->addFlash("success", "Successfully removed the wish!");
+            $this->addFlash("success", "Successfully removed the wish!");
 
-        return $this->redirectToRoute('wishlist');
+            return $this->redirectToRoute('wishlist');
+        }
+
+        throw new HttpException(403, "No permission");
     }
 }