From cd805d24da8c2e93a689bb418f1bb717aeb6f8be Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Sat, 20 Apr 2024 12:08:07 -0400
Subject: [PATCH] Block regular users from changing their own playlists
 ownership

---
 persistence/playlist_repository.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/persistence/playlist_repository.go b/persistence/playlist_repository.go
index 2810c457d..feafc844c 100644
--- a/persistence/playlist_repository.go
+++ b/persistence/playlist_repository.go
@@ -399,15 +399,22 @@ func (r *playlistRepository) Save(entity interface{}) (string, error) {
 }
 
 func (r *playlistRepository) Update(id string, entity interface{}, cols ...string) error {
+	pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
 	current, err := r.Get(id)
 	if err != nil {
 		return err
 	}
 	usr := loggedUser(r.ctx)
-	if !usr.IsAdmin && current.OwnerID != usr.ID {
-		return rest.ErrPermissionDenied
+	if !usr.IsAdmin {
+		// Only the owner can update the playlist
+		if current.OwnerID != usr.ID {
+			return rest.ErrPermissionDenied
+		}
+		// Regular users can't change the ownership of a playlist
+		if pls.OwnerID != "" && pls.OwnerID != usr.ID {
+			return rest.ErrPermissionDenied
+		}
 	}
-	pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
 	pls.ID = id
 	pls.UpdatedAt = time.Now()
 	_, err = r.put(id, pls, append(cols, "updatedAt")...)