starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-06-09 12:12:43 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

Update playlist endpoints to check user still has library access

Browse Source
This commit is contained in:
advplyr
2026-04-22 16:42:58 -05:00
parent 79cc9765cf
commit 9ab35ef418
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/controllers/PlaylistController.js
+14 -1
View File
@@ -37,6 +37,10 @@ class PlaylistController {
if (reqBody.description && typeof reqBody.description !== 'string') { if (reqBody.description && typeof reqBody.description !== 'string') {
return res.status(400).send('Invalid playlist description') return res.status(400).send('Invalid playlist description')
} }
if (!req.user.checkCanAccessLibrary(reqBody.libraryId)) {
Logger.warn(`[PlaylistController] User "${req.user.username}" attempted to create playlist in inaccessible library ${reqBody.libraryId}`)
return res.sendStatus(403)
}
const items = reqBody.items || [] const items = reqBody.items || []
const isPodcast = items.some((i) => i.episodeId) const isPodcast = items.some((i) => i.episodeId)
const libraryItemIds = new Set() const libraryItemIds = new Set()
@@ -133,8 +137,9 @@ class PlaylistController {
*/ */
async findAllForUser(req, res) { async findAllForUser(req, res) {
const playlistsForUser = await Database.playlistModel.getOldPlaylistsForUserAndLibrary(req.user.id) const playlistsForUser = await Database.playlistModel.getOldPlaylistsForUserAndLibrary(req.user.id)
const accessiblePlaylists = playlistsForUser.filter((p) => req.user.checkCanAccessLibrary(p.libraryId))
res.json({ res.json({
playlists: playlistsForUser playlists: accessiblePlaylists
}) })
} }
@@ -508,6 +513,10 @@ class PlaylistController {
if (!collection) { if (!collection) {
return res.status(404).send('Collection not found') return res.status(404).send('Collection not found')
} }
if (!req.user.checkCanAccessLibrary(collection.libraryId)) {
Logger.warn(`[PlaylistController] User "${req.user.username}" attempted to create playlist from collection ${collection.id} in inaccessible library ${collection.libraryId}`)
return res.status(404).send('Collection not found')
}
// Expand collection to get library items // Expand collection to get library items
const collectionExpanded = await collection.getOldJsonExpanded(req.user) const collectionExpanded = await collection.getOldJsonExpanded(req.user)
if (!collectionExpanded) { if (!collectionExpanded) {
@@ -573,6 +582,10 @@ class PlaylistController {
Logger.warn(`[PlaylistController] Playlist ${req.params.id} requested by user ${req.user.id} that is not the owner`) Logger.warn(`[PlaylistController] Playlist ${req.params.id} requested by user ${req.user.id} that is not the owner`)
return res.sendStatus(403) return res.sendStatus(403)
} }
if (!req.user.checkCanAccessLibrary(playlist.libraryId)) {
Logger.warn(`[PlaylistController] User "${req.user.username}" attempted to access playlist ${playlist.id} in inaccessible library ${playlist.libraryId}`)
return res.status(404).send('Playlist not found')
}
req.playlist = playlist req.playlist = playlist
} }