starred/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-30 23:40:40 +02:00
Code Issues 1.0k Packages Projects Releases 10 Wiki Activity

[PR #4027] [MERGED] fix(auth): Add admin-level auth to LibraryController 'delete', 'update' and 'delete items with issues' #4149

New Issue
Closed
opened 2026-04-25 00:18:33 +02:00 by adam · 0 comments
adam commented 2026-04-25 00:18:33 +02:00
Owner
Copy Link
Copy Source

📋 Pull Request Information

Original PR: https://github.com/advplyr/audiobookshelf/pull/4027
Author: @Alexshch09
Created: 2/22/2025
Status: Merged
Merged: 2/23/2025
Merged by: @advplyr

Base: masterHead: Add-admin-auth-to-LibraryController

📝 Commits (1)

  • 452d354 fix(auth): Add admin-level auth to LibraryController delete update and issue removal

📊 Changes

1 file changed (+15 additions, -0 deletions)

View changed files

📝 server/controllers/LibraryController.js (+15 -0)

📄 Description

Brief summary

This PR addresses a security vulnerability in the LibraryController by enforcing admin-level authorization for critical endpoints that were previously accessible to non-admin users. Specifically, it restricts access to library settings updates, library issue removal, and library deletion to only admin users.

Which issue is fixed?

No issue reported (security fix).

In-depth Description

This PR implements admin-level authorization checks in the LibraryController for the following methods:

  • PATCH /api/libraries/:id (update method): Previously, any authenticated user could potentially modify library settings. This change adds a check at the beginning of the update method to ensure that only users with isAdminOrUp privileges can proceed with updating library settings.
  • DELETE /api/libraries/:id/issues (removeLibraryItemsWithIssues method): Similarly, this endpoint for removing library items with issues was not properly protected. This PR adds an isAdminOrUp check at the start of the removeLibraryItemsWithIssues method to restrict its use to administrators.
  • DELETE /api/libraries/:id (delete method): This PR also adds an isAdminOrUp check to the delete method to ensure that only admin users can delete libraries. Deleting a library is a highly sensitive operation that should be restricted to administrators.

These changes ensure that sensitive library management operations are only accessible to authorized admin users, enhancing the overall security and access control of the application.

How have you tested this?

Test Steps:

  1. Manual testing was performed using curl commands to directly interact with the API endpoints.
  2. For each endpoint, tests were executed using two types of JWTs:
    • Admin JWT: A valid JWT for a user with administrator privileges.
    • Non-Admin JWT: A valid JWT for a standard user (without administrator privileges).
  3. The following endpoints were specifically tested to verify authorization:
    • PATCH /api/libraries/:id: curl commands were used with both Admin and Non-Admin JWTs to attempt updating library settings.
    • DELETE /api/libraries/:id/issues: curl commands were used with both Admin and Non-Admin JWTs to attempt removing library issues.
    • DELETE /api/libraries/:id: curl commands were used with both Admin and Non-Admin JWTs to attempt deleting a library.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/advplyr/audiobookshelf/pull/4027 **Author:** [@Alexshch09](https://github.com/Alexshch09) **Created:** 2/22/2025 **Status:** ✅ Merged **Merged:** 2/23/2025 **Merged by:** [@advplyr](https://github.com/advplyr) **Base:** `master` ← **Head:** `Add-admin-auth-to-LibraryController` --- ### 📝 Commits (1) - [`452d354`](https://github.com/advplyr/audiobookshelf/commit/452d354b525f36906b3c1f1b327e19bf6d228fa6) fix(auth): Add admin-level auth to LibraryController delete update and issue removal ### 📊 Changes **1 file changed** (+15 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `server/controllers/LibraryController.js` (+15 -0) </details> ### 📄 Description ## Brief summary This PR addresses a security vulnerability in the LibraryController by enforcing admin-level authorization for critical endpoints that were previously accessible to non-admin users. Specifically, it restricts access to library settings updates, library issue removal, and **library deletion** to only admin users. ## Which issue is fixed? No issue reported (security fix). ## In-depth Description This PR implements admin-level authorization checks in the `LibraryController` for the following methods: * **`PATCH /api/libraries/:id` (update method):** Previously, any authenticated user could potentially modify library settings. This change adds a check at the beginning of the `update` method to ensure that only users with `isAdminOrUp` privileges can proceed with updating library settings. * **`DELETE /api/libraries/:id/issues` (removeLibraryItemsWithIssues method):** Similarly, this endpoint for removing library items with issues was not properly protected. This PR adds an `isAdminOrUp` check at the start of the `removeLibraryItemsWithIssues` method to restrict its use to administrators. * **`DELETE /api/libraries/:id` (delete method):** This PR also adds an `isAdminOrUp` check to the `delete` method to ensure that only admin users can delete libraries. Deleting a library is a highly sensitive operation that should be restricted to administrators. These changes ensure that sensitive library management operations are only accessible to authorized admin users, enhancing the overall security and access control of the application. ## How have you tested this? **Test Steps:** 1. **Manual testing was performed using `curl` commands** to directly interact with the API endpoints. 2. **For each endpoint, tests were executed using two types of JWTs:** * **Admin JWT:** A valid JWT for a user with administrator privileges. * **Non-Admin JWT:** A valid JWT for a standard user (without administrator privileges). 3. **The following endpoints were specifically tested to verify authorization:** * `PATCH /api/libraries/:id`: `curl` commands were used with both Admin and Non-Admin JWTs to attempt updating library settings. * `DELETE /api/libraries/:id/issues`: `curl` commands were used with both Admin and Non-Admin JWTs to attempt removing library issues. * `DELETE /api/libraries/:id`: `curl` commands were used with both Admin and Non-Admin JWTs to attempt deleting a library. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
adam added the pull-request label 2026-04-25 00:18:33 +02:00
adam closed this issue 2026-04-25 00:18:33 +02:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
authentication
backlog
bug
chapter editor
config-issue
ebooks
encoding/embedding
enhancement
help wanted
listening sessions & progress
planned
possible plugin
progress sync
pull-request
Mirrored from GitHub Pull Request
 sorting/filtering/searching
unable to reproduce
upload
users & permissions
waiting
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam (Adam Melkus)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/audiobookshelf#4149
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?