Merge 464b720d9e into 47ea6b5092

2026-05-16 16:31:30 +00:00 · 2026-05-05 17:56:42 -06:00 · 2026-05-05 17:56:42 -06:00 · 3de0dedfd9
commit 3de0dedfd9
parent 47ea6b5092 464b720d9e
11 changed files with 236 additions and 1 deletions
--- a/server/controllers/LibraryItemController.js
+++ b/server/controllers/LibraryItemController.js
@ -437,6 +437,10 @@ class LibraryItemController {
   * @param {Response} res
   */
  startPlaybackSession(req, res) {
+    if (!req.user.canStream) {
+      Logger.warn(`User "${req.user.username}" attempted to stream without permission`)
+      return res.sendStatus(403)
+    }
    if (!req.libraryItem.hasAudioTracks) {
      Logger.error(`[LibraryItemController] startPlaybackSession cannot playback ${req.libraryItem.id}`)
      return res.sendStatus(404)
@ -454,6 +458,10 @@ class LibraryItemController {
   * @param {Response} res
   */
  startEpisodePlaybackSession(req, res) {
+    if (!req.user.canStream) {
+      Logger.warn(`User "${req.user.username}" attempted to stream without permission`)
+      return res.sendStatus(403)
+    }
    if (!req.libraryItem.isPodcast) {
      Logger.error(`[LibraryItemController] startEpisodePlaybackSession invalid media type ${req.libraryItem.id}`)
      return res.sendStatus(400)
--- a/server/models/ApiKey.js
+++ b/server/models/ApiKey.js
@ -6,6 +6,7 @@ const Logger = require('../Logger')
 /**
 * @typedef {Object} ApiKeyPermissions
 * @property {boolean} download
+ * @property {boolean} stream
 * @property {boolean} update
 * @property {boolean} delete
 * @property {boolean} upload
@ -84,6 +85,7 @@ class ApiKey extends Model {
  static getDefaultPermissions() {
    return {
      download: true,
+      stream: true,
      update: true,
      delete: true,
      upload: true,
--- a/server/models/User.js
+++ b/server/models/User.js
@ -125,6 +125,7 @@ class User extends Model {
   */
  static permissionMapping = {
    canDownload: 'download',
+    canStream: 'stream',
    canUpload: 'upload',
    canDelete: 'delete',
    canUpdate: 'update',
@ -169,6 +170,7 @@ class User extends Model {
  static getDefaultPermissionsForUserType(type) {
    return {
      download: true,
+      stream: true,
      update: type === 'root' || type === 'admin',
      delete: type === 'root',
      upload: type === 'root' || type === 'admin',
@ -567,6 +569,9 @@ class User extends Model {
  get canDownload() {
    return !!this.permissions?.download && this.isActive
  }
+  get canStream() {
+    return (this.permissions?.stream !== false) && this.isActive
+  }
  get canUpload() {
    return !!this.permissions?.upload && this.isActive
  }