When posting the wishlisted items, you have choices depending on how the API call is authorized.
If e.g. it is via an Oauth token that contains or implies the user's identity, then you can make your API like this:
POST /api/wishlistedItems
No need to pass user in the URL, instead the back end extracts it from the oAuth token. (In house we call these "on behalf" APIs). Nice from a security perspective, as authorized users can only adjust their own wishlisted items.
However perhaps you also need the capability for people to adjust others wishlisted items? In that case you add a second API:
POST /api/wishlistedItems/users/{user}
Assuming you still can extract the user from the OAuth token, your back end now needs to ensure that the oauth token user is "allowed" to adjust the wishlist items of the {user} user. e.g. perhaps the oauth token user is an admin person.
I personally prefer having both these APIs for increased security, assuming you have some kind of framework that allows you to lock down access on a per-API, per-client model (which you should).
For example, let's say you have a client application HACKZOR, built by your well-meaning but inexperienced interns. You love their raw enthusiasm but their gung-ho-ness makes you nervous. So you make sure HACKZOR is only allowed to make calls to the on-behalf API (POST /api/wishlistedItems).
Now lets assume that the interns were indeed sloppy, and their HACKZOR client application is hacked. This is bad - but because you are using on-behalf APIs, it's not catastrophic. That's because HACKZOR can only alter the wishlist items for a user who it has an OAuth token for - and the authorization server only hands those out for people who have actually logged in.
Of course any user who has used HACKZOR since it was hacked is at risk - but, depending on how long the hack went undetected for, that could mean that only hundreds of accounts were compromised, not millions. You extract yourself from the situation by firing an intern or two but you don't make it into the newspaper. Phew.