Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-02-24 00:21:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4027 from Alexshch09/Add-admin-auth-to-LibraryController

Browse Source 
fix(auth): Add admin-level auth to LibraryController 'delete', 'update' and 'delete items with issues'
This commit is contained in:
advplyr 2025-02-22 17:45:38 -06:00 committed by GitHub
commit e1b3b657c4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
server/controllers/LibraryController.js
View File

@ -254,6 +254,11 @@ class LibraryController {
* @param {Response} res
*/
async update(req, res) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-admin user "${req.user.username}" attempted to update library`)
return res.sendStatus(403)
}
// Validation
const updatePayload = {}
const keysToCheck = ['name', 'provider', 'mediaType', 'icon']
@ -519,6 +524,11 @@ class LibraryController {
* @param {Response} res
*/
async delete(req, res) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-admin user "${req.user.username}" attempted to delete library`)
return res.sendStatus(403)
}
// Remove library watcher
Watcher.removeLibrary(req.library)
@ -639,6 +649,11 @@ class LibraryController {
* @param {Response} res
*/
async removeLibraryItemsWithIssues(req, res) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-admin user "${req.user.username}" attempted to delete library items missing or invalid`)
return res.sendStatus(403)
}
const libraryItemsWithIssues = await Database.libraryItemModel.findAll({
where: {
libraryId: req.library.id,