User create ereader endpoint validate accessibility

client/components/modals/emails/UserEReaderDeviceModal.vue

@@ -38,10 +38,6 @@ export default {
     ereaderDevice: {
       type: Object,
       default: () => null
-    },
-    users: {
-      type: Array,
-      default: () => []
     }
   },
   data() {
@@ -78,29 +74,6 @@ export default {
     },
     title() {
       return !this.ereaderDevice ? 'Create Device' : 'Update Device'
-    },
-    userAvailabilityOptions() {
-      return [
-        {
-          text: this.$strings.LabelAdminUsersOnly,
-          value: 'adminOrUp'
-        },
-        {
-          text: this.$strings.LabelAllUsersExcludingGuests,
-          value: 'userOrUp'
-        },
-        {
-          text: this.$strings.LabelAllUsersIncludingGuests,
-          value: 'guestOrUp'
-        },
-        {
-          text: this.$strings.LabelSelectUsers,
-          value: 'specificUsers'
-        }
-      ]
-    },
-    userOptions() {
-      return this.users.map((u) => ({ text: u.username, value: u.id }))
     }
   },
   methods: {

server/controllers/MeController.js

@@ -409,12 +409,15 @@ class MeController {
     for (const device of userEReaderDevices) {
       if (!device.name || !device.email) {
         return res.status(400).send('Invalid payload. ereaderDevices array items must have name and email')
+      } else if (device.availabilityOption !== 'specificUsers' || device.users?.length !== 1 || device.users[0] !== req.user.id) {
+        return res.status(400).send('Invalid payload. ereaderDevices array items must have availabilityOption "specificUsers" and only the current user')
       }
     }
 
     const otherDevices = Database.emailSettings.ereaderDevices.filter((device) => {
       return !Database.emailSettings.checkUserCanAccessDevice(device, req.user) || device.users?.length !== 1
     })
+
     const ereaderDevices = otherDevices.concat(userEReaderDevices)
 
     // Check for duplicate names