groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-24 04:11:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update collection endpoints to check user library access

Browse source
This commit is contained in:
advplyr 2026-04-22 16:29:47 -05:00
parent 5b2a788cfc
commit 79cc9765cf
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
server/controllers/CollectionController.js
View file

@ -41,6 +41,10 @@ class CollectionController {
if (reqBody.description && typeof reqBody.description !== 'string') { if (reqBody.description && typeof reqBody.description !== 'string') {
return res.status(400).send('Invalid collection description') return res.status(400).send('Invalid collection description')
} }
if (!req.user.checkCanAccessLibrary(reqBody.libraryId)) {
Logger.warn(`[CollectionController] User "${req.user.username}" attempted to create collection in inaccessible library ${reqBody.libraryId}`)
return res.sendStatus(403)
}
const libraryItemIds = (reqBody.books || []).filter((b) => !!b && typeof b == 'string') const libraryItemIds = (reqBody.books || []).filter((b) => !!b && typeof b == 'string')
if (!libraryItemIds.length) { if (!libraryItemIds.length) {
return res.status(400).send('Invalid collection data. No books') return res.status(400).send('Invalid collection data. No books')
@ -109,8 +113,9 @@ class CollectionController {
*/ */
async findAll(req, res) { async findAll(req, res) {
const collectionsExpanded = await Database.collectionModel.getOldCollectionsJsonExpanded(req.user) const collectionsExpanded = await Database.collectionModel.getOldCollectionsJsonExpanded(req.user)
const accessibleCollections = collectionsExpanded.filter((c) => req.user.checkCanAccessLibrary(c.libraryId))
res.json({ res.json({
collections: collectionsExpanded collections: accessibleCollections
}) })
} }
@ -431,6 +436,10 @@ class CollectionController {
if (!collection) { if (!collection) {
return res.status(404).send('Collection not found') return res.status(404).send('Collection not found')
} }
if (!req.user.checkCanAccessLibrary(collection.libraryId)) {
Logger.warn(`[CollectionController] User "${req.user.username}" attempted to access collection ${collection.id} in inaccessible library ${collection.libraryId}`)
return res.status(404).send('Collection not found')
}
req.collection = collection req.collection = collection
} }