Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-02-19 00:18:56 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix:Series api check user has access to library

Browse Source
This commit is contained in:
advplyr 2023-05-28 08:51:34 -05:00
parent 056da0ef70
commit f16e312319
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
server/controllers/SeriesController.js
View File

@ -11,7 +11,7 @@ class SeriesController {
// Add progress map with isFinished flag
if (include.includes('progress')) {
const libraryItemsInSeries = this.db.libraryItems.filter(li => li.mediaType === 'book' && li.media.metadata.hasSeries(seriesJson.id))
const libraryItemsInSeries = req.libraryItemsInSeries
const libraryItemsFinished = libraryItemsInSeries.filter(li => {
const mediaProgress = req.user.getMediaProgress(li.id)
return mediaProgress && mediaProgress.isFinished
@ -55,6 +55,12 @@ class SeriesController {
const series = this.db.series.find(se => se.id === req.params.id)
if (!series) return res.sendStatus(404)
const libraryItemsInSeries = this.db.libraryItems.filter(li => li.media.metadata.hasSeries?.(series.id))
if (libraryItemsInSeries.some(li => !req.user.checkCanAccessLibrary(li.libraryId))) {
Logger.warn(`[SeriesController] User attempted to access series "${series.id}" without access to the library`, req.user)
return res.sendStatus(403)
}
if (req.method == 'DELETE' && !req.user.canDelete) {
Logger.warn(`[SeriesController] User attempted to delete without permission`, req.user)
return res.sendStatus(403)
@ -64,6 +70,7 @@ class SeriesController {
}
req.series = series
req.libraryItemsInSeries = libraryItemsInSeries
next()
}
}