diff --git a/client/pages/item/_id/index.vue b/client/pages/item/_id/index.vue index 913d48c2..5ef36f3f 100644 --- a/client/pages/item/_id/index.vue +++ b/client/pages/item/_id/index.vue @@ -95,14 +95,16 @@

Book has no audio tracks but has valid ebook files. The e-reader is experimental and can be turned on in config.

+

{{ episodeDownloadsQueued.length }} Episode{{ episodeDownloadsQueued.length === 1 ? '' : 's' }} queued for download

- close + close
+
diff --git a/server/controllers/PodcastController.js b/server/controllers/PodcastController.js index 11994f60..c332050f 100644 --- a/server/controllers/PodcastController.js +++ b/server/controllers/PodcastController.js @@ -9,8 +9,8 @@ const filePerms = require('../utils/filePerms') class PodcastController { async create(req, res) { - if (!req.user.isRoot) { - Logger.error(`[PodcastController] Non-root user attempted to create podcast`, req.user) + if (!req.user.isAdminOrUp) { + Logger.error(`[PodcastController] Non-admin user attempted to create podcast`, req.user) return res.sendStatus(500) } const payload = req.body @@ -115,10 +115,19 @@ class PodcastController { } async checkNewEpisodes(req, res) { + if (!req.user.isAdminOrUp) { + Logger.error(`[PodcastController] Non-admin user attempted to check/download episodes`, req.user) + return res.sendStatus(500) + } + var libraryItem = this.db.getLibraryItem(req.params.id) if (!libraryItem || libraryItem.mediaType !== 'podcast') { return res.sendStatus(404) } + if (!req.user.checkCanAccessLibrary(libraryItem.libraryId)) { + Logger.error(`[PodcastController] User attempted to check/download episodes for a library without permission`, req.user) + return res.sendStatus(500) + } if (!libraryItem.media.metadata.feedUrl) { Logger.error(`[PodcastController] checkNewEpisodes no feed url for item ${libraryItem.id}`) return res.status(500).send('Podcast has no rss feed url') @@ -131,8 +140,8 @@ class PodcastController { } clearEpisodeDownloadQueue(req, res) { - if (!req.user.canUpdate) { - Logger.error(`[PodcastController] User attempting to clear download queue without permission "${req.user.username}"`) + if (!req.user.isAdminOrUp) { + Logger.error(`[PodcastController] Non-admin user attempting to clear download queue "${req.user.username}"`) return res.sendStatus(500) } this.podcastManager.clearDownloadQueue(req.params.id) @@ -151,11 +160,17 @@ class PodcastController { } async downloadEpisodes(req, res) { + if (!req.user.isAdminOrUp) { + Logger.error(`[PodcastController] Non-admin user attempted to download episodes`, req.user) + return res.sendStatus(500) + } + var libraryItem = this.db.getLibraryItem(req.params.id) if (!libraryItem || libraryItem.mediaType !== 'podcast') { return res.sendStatus(404) } - if (!req.user.canUpload || !req.user.checkCanAccessLibrary(libraryItem.libraryId)) { + if (!req.user.checkCanAccessLibrary(libraryItem.libraryId)) { + Logger.error(`[PodcastController] User attempted to download episodes for library without permission`, req.user) return res.sendStatus(404) } diff --git a/server/objects/user/User.js b/server/objects/user/User.js index fd405e48..974ce097 100644 --- a/server/objects/user/User.js +++ b/server/objects/user/User.js @@ -33,6 +33,9 @@ class User { get isAdmin() { return this.type === 'admin' } + get isAdminOrUp() { + return this.isAdmin || this.isRoot + } get canDelete() { return !!this.permissions.delete && this.isActive }