Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-10-27 11:18:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): Add admin-level auth to LibraryController delete update and issue removal

Browse Source
This commit is contained in:
alexshch09 2025-02-22 00:44:52 +01:00
parent 0cc2e39367
commit 452d354b52
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
server/controllers/LibraryController.js
View File

@ -254,6 +254,11 @@ class LibraryController {
* @param {Response} res
*/
async update(req, res) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-admin user "${req.user.username}" attempted to update library`)
return res.sendStatus(403)
}
// Validation
const updatePayload = {}
const keysToCheck = ['name', 'provider', 'mediaType', 'icon']
@ -519,6 +524,11 @@ class LibraryController {
* @param {Response} res
*/
async delete(req, res) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-admin user "${req.user.username}" attempted to delete library`)
return res.sendStatus(403)
}
// Remove library watcher
Watcher.removeLibrary(req.library)
@ -639,6 +649,11 @@ class LibraryController {
* @param {Response} res
*/
async removeLibraryItemsWithIssues(req, res) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-admin user "${req.user.username}" attempted to delete library items missing or invalid`)
return res.sendStatus(403)
}
const libraryItemsWithIssues = await Database.libraryItemModel.findAll({
where: {
libraryId: req.library.id,