third-party-mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-06-02 08:31:27 +03:00
Code Issues Packages Projects Releases Wiki Activity

Check permissions to playlist operations

Browse Source
This commit is contained in:
Deluan 2020-01-21 17:18:46 -05:00
parent 57fcdac428
commit 7fe15134a6
5 changed files with 51 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
engine/playlists.go
View File

@ -25,11 +25,7 @@ type playlists struct {
} }
func (p *playlists) Create(ctx context.Context, playlistId, name string, ids []string) error { func (p *playlists) Create(ctx context.Context, playlistId, name string, ids []string) error {
owner := consts.InitialUserName owner := p.getUser(ctx)
user, ok := ctx.Value("user").(*model.User)
if ok {
owner = user.UserName
}
var pls *model.Playlist var pls *model.Playlist
var err error var err error
// If playlistID is present, override tracks // If playlistID is present, override tracks
@ -38,6 +34,9 @@ func (p *playlists) Create(ctx context.Context, playlistId, name string, ids []s
if err != nil { if err != nil {
return err return err
} }
if owner != pls.Owner {
return model.ErrNotAuthorized
}
pls.Tracks = nil pls.Tracks = nil
} else { } else {
pls = &model.Playlist{ pls = &model.Playlist{
@ -52,12 +51,36 @@ func (p *playlists) Create(ctx context.Context, playlistId, name string, ids []s
return p.ds.Playlist().Put(pls) return p.ds.Playlist().Put(pls)
} }
func (p *playlists) getUser(ctx context.Context) string {
owner := consts.InitialUserName
user, ok := ctx.Value("user").(*model.User)
if ok {
owner = user.UserName
}
return owner
}
func (p *playlists) Delete(ctx context.Context, playlistId string) error { func (p *playlists) Delete(ctx context.Context, playlistId string) error {
pls, err := p.ds.Playlist().Get(playlistId)
if err != nil {
return err
}
owner := p.getUser(ctx)
if owner != pls.Owner {
return model.ErrNotAuthorized
}
return p.ds.Playlist().Delete(playlistId) return p.ds.Playlist().Delete(playlistId)
} }
func (p *playlists) Update(ctx context.Context, playlistId string, name *string, idsToAdd []string, idxToRemove []int) error { func (p *playlists) Update(ctx context.Context, playlistId string, name *string, idsToAdd []string, idxToRemove []int) error {
pls, err := p.ds.Playlist().Get(playlistId) pls, err := p.ds.Playlist().Get(playlistId)
owner := p.getUser(ctx)
if owner != pls.Owner {
return model.ErrNotAuthorized
}
if err != nil { if err != nil {
return err return err
} }

7
model/datastore.go
View File

@ -1,16 +1,9 @@
package model package model
import ( import (
"errors"
"github.com/deluan/rest" "github.com/deluan/rest"
) )
var (
ErrNotFound = errors.New("data not found")
ErrInvalidAuth = errors.New("invalid authentication")
)
// Filters use the same operators as Beego ORM: See https://beego.me/docs/mvc/model/query.md#operators // Filters use the same operators as Beego ORM: See https://beego.me/docs/mvc/model/query.md#operators
// Ex: var q = QueryOptions{Filters: Filters{"name__istartswith": "Deluan","age__gt": 25}} // Ex: var q = QueryOptions{Filters: Filters{"name__istartswith": "Deluan","age__gt": 25}}
// All conditions will be ANDed together // All conditions will be ANDed together

9
model/errors.go Normal file
View File

@ -0,0 +1,9 @@
package model
import "errors"
var (
ErrNotFound = errors.New("data not found")
ErrInvalidAuth = errors.New("invalid authentication")
ErrNotAuthorized = errors.New("not authorized")
)

6
server/subsonic/playlists.go
View File

@ -81,6 +81,9 @@ func (c *PlaylistsController) DeletePlaylist(w http.ResponseWriter, r *http.Requ
return nil, err return nil, err
} }
err = c.pls.Delete(r.Context(), id) err = c.pls.Delete(r.Context(), id)
if err == model.ErrNotAuthorized {
return nil, NewError(responses.ErrorAuthorizationFail)
}
if err != nil { if err != nil {
log.Error(r, err) log.Error(r, err)
return nil, NewError(responses.ErrorGeneric, "Internal Error") return nil, NewError(responses.ErrorGeneric, "Internal Error")
@ -110,6 +113,9 @@ func (c *PlaylistsController) UpdatePlaylist(w http.ResponseWriter, r *http.Requ
log.Debug(r, fmt.Sprintf("-- Removing: '%v'", songIndexesToRemove)) log.Debug(r, fmt.Sprintf("-- Removing: '%v'", songIndexesToRemove))
err = c.pls.Update(r.Context(), playlistId, pname, songsToAdd, songIndexesToRemove) err = c.pls.Update(r.Context(), playlistId, pname, songsToAdd, songIndexesToRemove)
if err == model.ErrNotAuthorized {
return nil, NewError(responses.ErrorAuthorizationFail)
}
if err != nil { if err != nil {
log.Error(r, err) log.Error(r, err)
return nil, NewError(responses.ErrorGeneric, "Internal Error") return nil, NewError(responses.ErrorGeneric, "Internal Error")

16
server/subsonic/responses/errors.go
View File

@ -1,14 +1,14 @@
package responses package responses
const ( const (
ErrorGeneric = iota * 10 ErrorGeneric = 0
ErrorMissingParameter ErrorMissingParameter = 10
ErrorClientTooOld ErrorClientTooOld = 20
ErrorServerTooOld ErrorServerTooOld = 30
ErrorAuthenticationFail ErrorAuthenticationFail = 40
ErrorAuthorizationFail ErrorAuthorizationFail = 50
ErrorTrialExpired ErrorTrialExpired = 60
ErrorDataNotFound ErrorDataNotFound = 70
) )
var errors = map[int]string{ var errors = map[int]string{