From 729fdd5c9f706ff100da66b47147216b6ca6c8b0 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Fri, 29 Apr 2022 18:29:40 -0500
Subject: [PATCH] Update:User type admin permissions to create podcasts and
 download episodes #507

---
 client/pages/item/_id/index.vue         |  4 +++-
 server/controllers/PodcastController.js | 25 ++++++++++++++++++++-----
 server/objects/user/User.js             |  3 +++
 3 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/client/pages/item/_id/index.vue b/client/pages/item/_id/index.vue
index 913d48c2..5ef36f3f 100644
--- a/client/pages/item/_id/index.vue
+++ b/client/pages/item/_id/index.vue
@@ -95,14 +95,16 @@
             <p class="ml-4">Book has no audio tracks but has valid ebook files. The e-reader is experimental and can be turned on in config.</p>
           </div>
 
+          <!-- Podcast episode downloads queue -->
           <div v-if="episodeDownloadsQueued.length" class="px-4 py-2 mt-4 bg-info bg-opacity-40 text-sm font-semibold rounded-md text-gray-100 relative max-w-max mx-auto md:mx-0">
             <div class="flex items-center">
               <p class="text-sm py-1">{{ episodeDownloadsQueued.length }} Episode{{ episodeDownloadsQueued.length === 1 ? '' : 's' }} queued for download</p>
 
-              <span class="material-icons hover:text-error text-xl ml-3 cursor-pointer" @click="clearDownloadQueue">close</span>
+              <span v-if="userIsAdminOrUp" class="material-icons hover:text-error text-xl ml-3 cursor-pointer" @click="clearDownloadQueue">close</span>
             </div>
           </div>
 
+          <!-- Podcast episodes currently downloading -->
           <div v-if="episodesDownloading.length" class="px-4 py-2 mt-4 bg-success bg-opacity-20 text-sm font-semibold rounded-md text-gray-100 relative max-w-max mx-auto md:mx-0">
             <div v-for="episode in episodesDownloading" :key="episode.id" class="flex items-center">
               <widgets-loading-spinner />
diff --git a/server/controllers/PodcastController.js b/server/controllers/PodcastController.js
index 11994f60..c332050f 100644
--- a/server/controllers/PodcastController.js
+++ b/server/controllers/PodcastController.js
@@ -9,8 +9,8 @@ const filePerms = require('../utils/filePerms')
 class PodcastController {
 
   async create(req, res) {
-    if (!req.user.isRoot) {
-      Logger.error(`[PodcastController] Non-root user attempted to create podcast`, req.user)
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[PodcastController] Non-admin user attempted to create podcast`, req.user)
       return res.sendStatus(500)
     }
     const payload = req.body
@@ -115,10 +115,19 @@ class PodcastController {
   }
 
   async checkNewEpisodes(req, res) {
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[PodcastController] Non-admin user attempted to check/download episodes`, req.user)
+      return res.sendStatus(500)
+    }
+
     var libraryItem = this.db.getLibraryItem(req.params.id)
     if (!libraryItem || libraryItem.mediaType !== 'podcast') {
       return res.sendStatus(404)
     }
+    if (!req.user.checkCanAccessLibrary(libraryItem.libraryId)) {
+      Logger.error(`[PodcastController] User attempted to check/download episodes for a library without permission`, req.user)
+      return res.sendStatus(500)
+    }
     if (!libraryItem.media.metadata.feedUrl) {
       Logger.error(`[PodcastController] checkNewEpisodes no feed url for item ${libraryItem.id}`)
       return res.status(500).send('Podcast has no rss feed url')
@@ -131,8 +140,8 @@ class PodcastController {
   }
 
   clearEpisodeDownloadQueue(req, res) {
-    if (!req.user.canUpdate) {
-      Logger.error(`[PodcastController] User attempting to clear download queue without permission "${req.user.username}"`)
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[PodcastController] Non-admin user attempting to clear download queue "${req.user.username}"`)
       return res.sendStatus(500)
     }
     this.podcastManager.clearDownloadQueue(req.params.id)
@@ -151,11 +160,17 @@ class PodcastController {
   }
 
   async downloadEpisodes(req, res) {
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[PodcastController] Non-admin user attempted to download episodes`, req.user)
+      return res.sendStatus(500)
+    }
+
     var libraryItem = this.db.getLibraryItem(req.params.id)
     if (!libraryItem || libraryItem.mediaType !== 'podcast') {
       return res.sendStatus(404)
     }
-    if (!req.user.canUpload || !req.user.checkCanAccessLibrary(libraryItem.libraryId)) {
+    if (!req.user.checkCanAccessLibrary(libraryItem.libraryId)) {
+      Logger.error(`[PodcastController] User attempted to download episodes for library without permission`, req.user)
       return res.sendStatus(404)
     }
 
diff --git a/server/objects/user/User.js b/server/objects/user/User.js
index fd405e48..974ce097 100644
--- a/server/objects/user/User.js
+++ b/server/objects/user/User.js
@@ -33,6 +33,9 @@ class User {
   get isAdmin() {
     return this.type === 'admin'
   }
+  get isAdminOrUp() {
+    return this.isAdmin || this.isRoot
+  }
   get canDelete() {
     return !!this.permissions.delete && this.isActive
   }