Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-06-14 01:16:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Users with update permission unable to remove books from collection #3947

Browse Source
This commit is contained in:
advplyr 2025-02-07 17:09:48 -06:00
parent e93bb5cb07
commit a37fe3c3d2
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/controllers/CollectionController.js
View File

@ -251,6 +251,7 @@ class CollectionController {
/** /**
* DELETE: /api/collections/:id/book/:bookId * DELETE: /api/collections/:id/book/:bookId
* Remove a single book from a collection. Re-order books * Remove a single book from a collection. Re-order books
* Users with update permission can remove books from collections
* TODO: bookId is actually libraryItemId. Clients need updating to use bookId * TODO: bookId is actually libraryItemId. Clients need updating to use bookId
* *
* @param {CollectionControllerRequest} req * @param {CollectionControllerRequest} req
@ -427,7 +428,8 @@ class CollectionController {
req.collection = collection req.collection = collection
} }
if (req.method == 'DELETE' && !req.user.canDelete) { // Users with update permission can remove books from collections
if (req.method == 'DELETE' && !req.params.bookId && !req.user.canDelete) {
Logger.warn(`[CollectionController] User "${req.user.username}" attempted to delete without permission`) Logger.warn(`[CollectionController] User "${req.user.username}" attempted to delete without permission`)
return res.sendStatus(403) return res.sendStatus(403)
} else if ((req.method == 'PATCH' || req.method == 'POST') && !req.user.canUpdate) { } else if ((req.method == 'PATCH' || req.method == 'POST') && !req.user.canUpdate) {