Check permissions to playlist operations

engine/playlists.go

@@ -25,11 +25,7 @@ type playlists struct {
 }
 
 func (p *playlists) Create(ctx context.Context, playlistId, name string, ids []string) error {
-	owner := consts.InitialUserName
-	user, ok := ctx.Value("user").(*model.User)
-	if ok {
-		owner = user.UserName
-	}
+	owner := p.getUser(ctx)
 	var pls *model.Playlist
 	var err error
 	// If playlistID is present, override tracks
@@ -38,6 +34,9 @@ func (p *playlists) Create(ctx context.Context, playlistId, name string, ids []s
 		if err != nil {
 			return err
 		}
+		if owner != pls.Owner {
+			return model.ErrNotAuthorized
+		}
 		pls.Tracks = nil
 	} else {
 		pls = &model.Playlist{
@@ -52,12 +51,36 @@ func (p *playlists) Create(ctx context.Context, playlistId, name string, ids []s
 	return p.ds.Playlist().Put(pls)
 }
 
+func (p *playlists) getUser(ctx context.Context) string {
+	owner := consts.InitialUserName
+	user, ok := ctx.Value("user").(*model.User)
+	if ok {
+		owner = user.UserName
+	}
+	return owner
+}
+
 func (p *playlists) Delete(ctx context.Context, playlistId string) error {
+	pls, err := p.ds.Playlist().Get(playlistId)
+	if err != nil {
+		return err
+	}
+
+	owner := p.getUser(ctx)
+	if owner != pls.Owner {
+		return model.ErrNotAuthorized
+	}
 	return p.ds.Playlist().Delete(playlistId)
 }
 
 func (p *playlists) Update(ctx context.Context, playlistId string, name *string, idsToAdd []string, idxToRemove []int) error {
 	pls, err := p.ds.Playlist().Get(playlistId)
+
+	owner := p.getUser(ctx)
+	if owner != pls.Owner {
+		return model.ErrNotAuthorized
+	}
+
 	if err != nil {
 		return err
 	}

model/datastore.go

@@ -1,16 +1,9 @@
 package model
 
 import (
-	"errors"
-
 	"github.com/deluan/rest"
 )
 
-var (
-	ErrNotFound    = errors.New("data not found")
-	ErrInvalidAuth = errors.New("invalid authentication")
-)
-
 // Filters use the same operators as Beego ORM: See https://beego.me/docs/mvc/model/query.md#operators
 // Ex: var q = QueryOptions{Filters: Filters{"name__istartswith": "Deluan","age__gt": 25}}
 // All conditions will be ANDed together

model/errors.go

@@ -0,0 +1,9 @@
+package model
+
+import "errors"
+
+var (
+	ErrNotFound      = errors.New("data not found")
+	ErrInvalidAuth   = errors.New("invalid authentication")
+	ErrNotAuthorized = errors.New("not authorized")
+)

server/subsonic/playlists.go

@@ -81,6 +81,9 @@ func (c *PlaylistsController) DeletePlaylist(w http.ResponseWriter, r *http.Requ
 		return nil, err
 	}
 	err = c.pls.Delete(r.Context(), id)
+	if err == model.ErrNotAuthorized {
+		return nil, NewError(responses.ErrorAuthorizationFail)
+	}
 	if err != nil {
 		log.Error(r, err)
 		return nil, NewError(responses.ErrorGeneric, "Internal Error")
@@ -110,6 +113,9 @@ func (c *PlaylistsController) UpdatePlaylist(w http.ResponseWriter, r *http.Requ
 	log.Debug(r, fmt.Sprintf("-- Removing: '%v'", songIndexesToRemove))
 
 	err = c.pls.Update(r.Context(), playlistId, pname, songsToAdd, songIndexesToRemove)
+	if err == model.ErrNotAuthorized {
+		return nil, NewError(responses.ErrorAuthorizationFail)
+	}
 	if err != nil {
 		log.Error(r, err)
 		return nil, NewError(responses.ErrorGeneric, "Internal Error")

server/subsonic/responses/errors.go

@@ -1,14 +1,14 @@
 package responses
 
 const (
-	ErrorGeneric = iota * 10
-	ErrorMissingParameter
-	ErrorClientTooOld
-	ErrorServerTooOld
-	ErrorAuthenticationFail
-	ErrorAuthorizationFail
-	ErrorTrialExpired
-	ErrorDataNotFound
+	ErrorGeneric            = 0
+	ErrorMissingParameter   = 10
+	ErrorClientTooOld       = 20
+	ErrorServerTooOld       = 30
+	ErrorAuthenticationFail = 40
+	ErrorAuthorizationFail  = 50
+	ErrorTrialExpired       = 60
+	ErrorDataNotFound       = 70
 )
 
 var errors = map[int]string{