nik/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2026-02-02 06:24:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Block regular users from changing their own playlists ownership

Browse Source
This commit is contained in:
Deluan 2024-04-20 12:08:07 -04:00 committed by Joe Stump
parent b9e273bcf7
commit cd805d24da
No known key found for this signature in database
GPG Key ID: 29151C3EC48A0EB9
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
persistence/playlist_repository.go
View File

@ -399,15 +399,22 @@ func (r *playlistRepository) Save(entity interface{}) (string, error) {
}
func (r *playlistRepository) Update(id string, entity interface{}, cols ...string) error {
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
current, err := r.Get(id)
if err != nil {
return err
}
usr := loggedUser(r.ctx)
if !usr.IsAdmin && current.OwnerID != usr.ID {
return rest.ErrPermissionDenied
if !usr.IsAdmin {
// Only the owner can update the playlist
if current.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
// Regular users can't change the ownership of a playlist
if pls.OwnerID != "" && pls.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
}
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
pls.ID = id
pls.UpdatedAt = time.Now()
_, err = r.put(id, pls, append(cols, "updatedAt")...)