Front-end list update requests always fail with a 403 Forbidden

[martyspain]

Describe the bug

POST requests to wishlists/lists/update from logged-in users who are trying to update their lists are always throwing a 403 Forbidden error, even when the user has permissions to manage that list type and they are the owner of that list.

I've done a bit of debugging and it seems to be this code in the src/controllers/ListsController.php class that's the culprit (starts at line 520):

// Check if the guests session matches the lists
if ($list->sessionId !== Craft::$app->getSession()->get('wishlist_list')) {
    throw new HttpException(403);
}

I don't 100% understand what's being checked here, but it always fails at this point because the existing list that belongs to the user has a different sessionId value to what's returned from Craft::$app->getSession()->get('wishlist_list'). This means that users can't update or delete their own lists.

Steps to reproduce

1. Create a new list as a logged-in non-admin user
2. Try to update that list via a front-end form request (e.g. update the list's name)
3. Observe the 403 error

Craft CMS version

4.10.3

Plugin version

2.0.11

Multi-site?

No

Additional context

No response

[engram-design]

Fixed for the next release. To get this early, run composer require verbb/wishlist:"dev-craft-4 as 2.0.11".

[martyspain]

@engram-design Thanks for the quick response! Will this be merged into the Craft 5 version as well? I'm just in the process of migrating and I believe this bug applies there too.

[engram-design]

Fixed for the next release. To get this early, run composer require verbb/wishlist:"dev-craft-5 as 3.0.0".