From 79cc9765cf343e30515b6d4609cb741aad4a017d Mon Sep 17 00:00:00 2001 From: advplyr Date: Wed, 22 Apr 2026 16:29:47 -0500 Subject: [PATCH] Update collection endpoints to check user library access --- server/controllers/CollectionController.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/server/controllers/CollectionController.js b/server/controllers/CollectionController.js index 1476b0f81..bb00ea346 100644 --- a/server/controllers/CollectionController.js +++ b/server/controllers/CollectionController.js @@ -41,6 +41,10 @@ class CollectionController { if (reqBody.description && typeof reqBody.description !== 'string') { return res.status(400).send('Invalid collection description') } + if (!req.user.checkCanAccessLibrary(reqBody.libraryId)) { + Logger.warn(`[CollectionController] User "${req.user.username}" attempted to create collection in inaccessible library ${reqBody.libraryId}`) + return res.sendStatus(403) + } const libraryItemIds = (reqBody.books || []).filter((b) => !!b && typeof b == 'string') if (!libraryItemIds.length) { return res.status(400).send('Invalid collection data. No books') @@ -109,8 +113,9 @@ class CollectionController { */ async findAll(req, res) { const collectionsExpanded = await Database.collectionModel.getOldCollectionsJsonExpanded(req.user) + const accessibleCollections = collectionsExpanded.filter((c) => req.user.checkCanAccessLibrary(c.libraryId)) res.json({ - collections: collectionsExpanded + collections: accessibleCollections }) } @@ -431,6 +436,10 @@ class CollectionController { if (!collection) { return res.status(404).send('Collection not found') } + if (!req.user.checkCanAccessLibrary(collection.libraryId)) { + Logger.warn(`[CollectionController] User "${req.user.username}" attempted to access collection ${collection.id} in inaccessible library ${collection.libraryId}`) + return res.status(404).send('Collection not found') + } req.collection = collection }