mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-04-04 13:07:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

Block regular users from changing their own playlists ownership

Browse source
This commit is contained in:
Deluan 2024-04-20 12:08:07 -04:00
parent 9aeaaa6610
commit 78182f40d6
1 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
persistence/playlist_repository.go
View file

@ -399,15 +399,22 @@ func (r *playlistRepository) Save(entity interface{}) (string, error) {
} }
func (r *playlistRepository) Update(id string, entity interface{}, cols ...string) error { func (r *playlistRepository) Update(id string, entity interface{}, cols ...string) error {
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
current, err := r.Get(id) current, err := r.Get(id)
if err != nil { if err != nil {
return err return err
} }
usr := loggedUser(r.ctx) usr := loggedUser(r.ctx)
if !usr.IsAdmin && current.OwnerID != usr.ID { if !usr.IsAdmin {
return rest.ErrPermissionDenied // Only the owner can update the playlist
if current.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
// Regular users can't change the ownership of a playlist
if pls.OwnerID != "" && pls.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
} }
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
pls.ID = id pls.ID = id
pls.UpdatedAt = time.Now() pls.UpdatedAt = time.Now()
_, err = r.put(id, pls, append(cols, "updatedAt")...) _, err = r.put(id, pls, append(cols, "updatedAt")...)