groove/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2026-05-27 13:51:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update library item batch api endpoints check users per-item access & return 403

Browse source
This commit is contained in:
advplyr 2026-04-21 17:13:06 -05:00
parent b41db23994
commit 80b39abaa2
1 changed files with 39 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

39
server/controllers/LibraryItemController.js
View file

@ -36,6 +36,24 @@ const ShareManager = require('../managers/ShareManager')
* @typedef {RequestWithUser & RequestEntityObject & RequestLibraryFileObject} LibraryItemControllerRequestWithFile * @typedef {RequestWithUser & RequestEntityObject & RequestLibraryFileObject} LibraryItemControllerRequestWithFile
*/ */
/**
* Enforce per-item access for batch item routes
*
* @param {RequestWithUser} req
* @param {Response} res
* @param {import('../models/LibraryItem')[]} libraryItems
* @returns {boolean} true if the user may access every item; false if 403 was sent
*/
function ensureUserCanAccessLibraryItemsForBatch(req, res, libraryItems) {
for (const libraryItem of libraryItems) {
if (!req.user.checkCanAccessLibraryItem(libraryItem)) {
res.sendStatus(403)
return false
}
}
return true
}
class LibraryItemController { class LibraryItemController {
constructor() {} constructor() {}
@ -547,7 +565,13 @@ class LibraryItemController {
return res.sendStatus(404) return res.sendStatus(404)
} }
// Ensure user has permission to delete these library items
if (!ensureUserCanAccessLibraryItemsForBatch(req, res, itemsToDelete)) {
return
}
const libraryId = itemsToDelete[0].libraryId const libraryId = itemsToDelete[0].libraryId
for (const libraryItem of itemsToDelete) { for (const libraryItem of itemsToDelete) {
const libraryItemPath = libraryItem.path const libraryItemPath = libraryItem.path
Logger.info(`[LibraryItemController] (${hardDelete ? 'Hard' : 'Soft'}) deleting Library Item "${libraryItem.media.title}" with id "${libraryItem.id}"`) Logger.info(`[LibraryItemController] (${hardDelete ? 'Hard' : 'Soft'}) deleting Library Item "${libraryItem.media.title}" with id "${libraryItem.id}"`)
@ -581,6 +605,7 @@ class LibraryItemController {
} }
await Database.resetLibraryIssuesFilterData(libraryId) await Database.resetLibraryIssuesFilterData(libraryId)
res.sendStatus(200) res.sendStatus(200)
} }
@ -593,6 +618,11 @@ class LibraryItemController {
* @param {Response} res * @param {Response} res
*/ */
async batchUpdate(req, res) { async batchUpdate(req, res) {
if (!req.user.canUpdate) {
Logger.warn(`[LibraryItemController] User "${req.user.username}" attempted to batch update without permission`)
return res.sendStatus(403)
}
const updatePayloads = req.body const updatePayloads = req.body
if (!Array.isArray(updatePayloads) || !updatePayloads.length) { if (!Array.isArray(updatePayloads) || !updatePayloads.length) {
Logger.error(`[LibraryItemController] Batch update failed. Invalid payload`) Logger.error(`[LibraryItemController] Batch update failed. Invalid payload`)
@ -615,6 +645,11 @@ class LibraryItemController {
return res.sendStatus(404) return res.sendStatus(404)
} }
// Ensure user has permission to update these library items
if (!ensureUserCanAccessLibraryItemsForBatch(req, res, libraryItems)) {
return
}
let itemsUpdated = 0 let itemsUpdated = 0
const seriesIdsRemoved = [] const seriesIdsRemoved = []
@ -695,6 +730,10 @@ class LibraryItemController {
const libraryItems = await Database.libraryItemModel.findAllExpandedWhere({ const libraryItems = await Database.libraryItemModel.findAllExpandedWhere({
id: libraryItemIds id: libraryItemIds
}) })
// Ensure user has permission to access these library items
if (!ensureUserCanAccessLibraryItemsForBatch(req, res, libraryItems)) {
return
}
res.json({ res.json({
libraryItems: libraryItems.map((li) => li.toOldJSONExpanded()) libraryItems: libraryItems.map((li) => li.toOldJSONExpanded())
}) })