This repository has been archived by the owner on Nov 2, 2021. It is now read-only.
WishlistsController has no access control. Allows public editing of everything. #86
Comments
|
I am also facing the same issue. Getting error when I am trying to delete product from the wishlist. Please resolve this ASAP. Thank you in Advance. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
That's right, anonymous users can edit and delete other people's wishlists, just by having the right URL. No permission checks are performed.
The text was updated successfully, but these errors were encountered: