mirrors
/
navidrome
mirror of https://github.com/navidrome/navidrome.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Block regular users from changing their own playlists ownership

This commit is contained in:
Deluan 2024-04-20 12:08:07 -04:00
parent 9aeaaa6610
commit 78182f40d6
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
persistence/playlist_repository.go
View File

@ -399,15 +399,22 @@ func (r *playlistRepository) Save(entity interface{}) (string, error) {
}
func (r *playlistRepository) Update(id string, entity interface{}, cols ...string) error {
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
current, err := r.Get(id)
if err != nil {
return err
}
usr := loggedUser(r.ctx)
if !usr.IsAdmin && current.OwnerID != usr.ID {
return rest.ErrPermissionDenied
if !usr.IsAdmin {
// Only the owner can update the playlist
if current.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
// Regular users can't change the ownership of a playlist
if pls.OwnerID != "" && pls.OwnerID != usr.ID {
return rest.ErrPermissionDenied
}
}
pls := dbPlaylist{Playlist: *entity.(*model.Playlist)}
pls.ID = id
pls.UpdatedAt = time.Now()
_, err = r.put(id, pls, append(cols, "updatedAt")...)