arian/navidrome
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

Block regular users from changing their own playlists ownership

Browse Source
This commit is contained in:
Deluan
2024-04-20 12:08:07 -04:00
parent 9aeaaa6610
commit 78182f40d6
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
persistence/playlist_repository.go
+10 -3
View File
@@ -399,15 +399,22 @@ func (r *playlistRepository) Save(entity interface{}) (string, error) {
} }
func (r *playlistRepository) Update(id string, entity interface{}, cols ...string) error { func (r *playlistRepository) Update(id string, entity interface{}, cols ...string) error {
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
current, err := r.Get(id) current, err := r.Get(id)
if err != nil { if err != nil {
return err return err
} }
usr := loggedUser(r.ctx) usr := loggedUser(r.ctx)
if !usr.IsAdmin && current.OwnerID != usr.ID { if !usr.IsAdmin {
return rest.ErrPermissionDenied // Only the owner can update the playlist
if current.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
// Regular users can't change the ownership of a playlist
if pls.OwnerID != "" && pls.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
} }
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
pls.ID = id pls.ID = id
pls.UpdatedAt = time.Now() pls.UpdatedAt = time.Now()
_, err = r.put(id, pls, append(cols, "updatedAt")...) _, err = r.put(id, pls, append(cols, "updatedAt")...)