Deny permission for removing wishes

This commit is contained in:
Jannis Portmann 2021-05-15 10:38:17 +02:00
parent e8b3bdaa34
commit 7c1911fcd9

View file

@ -13,6 +13,7 @@ use Doctrine\ORM\EntityManagerInterface;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\Routing\Annotation\Route;
use Twig\Environment;
@ -90,6 +91,9 @@ class UserController extends AbstractController
#[Route('/wish/delete/{id}', name: 'delete_wish')]
public function deleteWish(Wish $wish): Response
{
$user = $this->getUser();
if ($wish->getByUser() === $user)
{
$this->entityManager->remove($wish);
$this->entityManager->flush();
@ -98,4 +102,7 @@ class UserController extends AbstractController
return $this->redirectToRoute('wishlist');
}
throw new HttpException(403, "No permission");
}
}