From 702c082e66940368f347d140ad33aef7fb02b1f2 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Sat, 26 Oct 2024 15:31:04 -0500
Subject: [PATCH] User create ereader endpoint validate accessibility

---
 .../modals/emails/UserEReaderDeviceModal.vue  | 27 -------------------
 server/controllers/MeController.js            |  3 +++
 2 files changed, 3 insertions(+), 27 deletions(-)

diff --git a/client/components/modals/emails/UserEReaderDeviceModal.vue b/client/components/modals/emails/UserEReaderDeviceModal.vue
index fe782dbf6..b1706305c 100644
--- a/client/components/modals/emails/UserEReaderDeviceModal.vue
+++ b/client/components/modals/emails/UserEReaderDeviceModal.vue
@@ -38,10 +38,6 @@ export default {
     ereaderDevice: {
       type: Object,
       default: () => null
-    },
-    users: {
-      type: Array,
-      default: () => []
     }
   },
   data() {
@@ -78,29 +74,6 @@ export default {
     },
     title() {
       return !this.ereaderDevice ? 'Create Device' : 'Update Device'
-    },
-    userAvailabilityOptions() {
-      return [
-        {
-          text: this.$strings.LabelAdminUsersOnly,
-          value: 'adminOrUp'
-        },
-        {
-          text: this.$strings.LabelAllUsersExcludingGuests,
-          value: 'userOrUp'
-        },
-        {
-          text: this.$strings.LabelAllUsersIncludingGuests,
-          value: 'guestOrUp'
-        },
-        {
-          text: this.$strings.LabelSelectUsers,
-          value: 'specificUsers'
-        }
-      ]
-    },
-    userOptions() {
-      return this.users.map((u) => ({ text: u.username, value: u.id }))
     }
   },
   methods: {
diff --git a/server/controllers/MeController.js b/server/controllers/MeController.js
index c91f47102..cc67b320d 100644
--- a/server/controllers/MeController.js
+++ b/server/controllers/MeController.js
@@ -409,12 +409,15 @@ class MeController {
     for (const device of userEReaderDevices) {
       if (!device.name || !device.email) {
         return res.status(400).send('Invalid payload. ereaderDevices array items must have name and email')
+      } else if (device.availabilityOption !== 'specificUsers' || device.users?.length !== 1 || device.users[0] !== req.user.id) {
+        return res.status(400).send('Invalid payload. ereaderDevices array items must have availabilityOption "specificUsers" and only the current user')
       }
     }
 
     const otherDevices = Database.emailSettings.ereaderDevices.filter((device) => {
       return !Database.emailSettings.checkUserCanAccessDevice(device, req.user) || device.users?.length !== 1
     })
+
     const ereaderDevices = otherDevices.concat(userEReaderDevices)
 
     // Check for duplicate names