third-party-mirrors/navidrome
1
0
Fork 0
mirror of https://github.com/navidrome/navidrome.git synced 2025-04-18 21:07:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

Handle playlist's permissions on server

Browse Source
This commit is contained in:
Deluan 2020-06-05 10:59:23 -04:00
parent 4906b816af
commit c6f23139bc
3 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
persistence/persistence_suite_test.go
View File

@ -86,7 +86,7 @@ var _ = Describe("Initialize test DB", func() {
BeforeSuite(func() { BeforeSuite(func() {
o := orm.NewOrm() o := orm.NewOrm()
ctx := log.NewContext(context.TODO()) ctx := log.NewContext(context.TODO())
ctx = request.WithUser(ctx, model.User{ID: "userid"}) ctx = request.WithUser(ctx, model.User{ID: "userid", UserName: "userid"})
mr := NewMediaFileRepository(ctx, o) mr := NewMediaFileRepository(ctx, o)
for i := range testSongs { for i := range testSongs {
s := testSongs[i] s := testSongs[i]

14
persistence/playlist_repository.go
View File

@ -45,6 +45,16 @@ func (r *playlistRepository) Exists(id string) (bool, error) {
} }
func (r *playlistRepository) Delete(id string) error { func (r *playlistRepository) Delete(id string) error {
usr := loggedUser(r.ctx)
if !usr.IsAdmin {
pls, err := r.Get(id)
if err != nil {
return err
}
if pls.Owner != usr.UserName {
return rest.ErrPermissionDenied
}
}
err := r.delete(And{Eq{"id": id}, r.userFilter()}) err := r.delete(And{Eq{"id": id}, r.userFilter()})
if err != nil { if err != nil {
return err return err
@ -158,6 +168,10 @@ func (r *playlistRepository) Save(entity interface{}) (string, error) {
func (r *playlistRepository) Update(entity interface{}, cols ...string) error { func (r *playlistRepository) Update(entity interface{}, cols ...string) error {
pls := entity.(*model.Playlist) pls := entity.(*model.Playlist)
usr := loggedUser(r.ctx)
if !usr.IsAdmin && pls.Owner != usr.UserName {
return rest.ErrPermissionDenied
}
err := r.Put(pls) err := r.Put(pls)
if err == model.ErrNotFound { if err == model.ErrNotFound {
return rest.ErrNotFound return rest.ErrNotFound

27
persistence/playlist_track_repository.go
View File

@ -11,11 +11,13 @@ import (
type playlistTrackRepository struct { type playlistTrackRepository struct {
sqlRepository sqlRepository
sqlRestful sqlRestful
playlistId string playlistId string
playlistRepo model.PlaylistRepository
} }
func (r *playlistRepository) Tracks(playlistId string) model.PlaylistTrackRepository { func (r *playlistRepository) Tracks(playlistId string) model.PlaylistTrackRepository {
p := &playlistTrackRepository{} p := &playlistTrackRepository{}
p.playlistRepo = NewPlaylistRepository(r.ctx, r.ormer)
p.playlistId = playlistId p.playlistId = playlistId
p.ctx = r.ctx p.ctx = r.ctx
p.ormer = r.ormer p.ormer = r.ormer
@ -67,6 +69,10 @@ func (r *playlistTrackRepository) NewInstance() interface{} {
} }
func (r *playlistTrackRepository) Add(mediaFileIds []string) error { func (r *playlistTrackRepository) Add(mediaFileIds []string) error {
if !r.isWritable() {
return rest.ErrPermissionDenied
}
if len(mediaFileIds) > 0 { if len(mediaFileIds) > 0 {
log.Debug(r.ctx, "Adding songs to playlist", "playlistId", r.playlistId, "mediaFileIds", mediaFileIds) log.Debug(r.ctx, "Adding songs to playlist", "playlistId", r.playlistId, "mediaFileIds", mediaFileIds)
} }
@ -100,6 +106,10 @@ func (r *playlistTrackRepository) getTracks() ([]string, error) {
} }
func (r *playlistTrackRepository) Update(mediaFileIds []string) error { func (r *playlistTrackRepository) Update(mediaFileIds []string) error {
if !r.isWritable() {
return rest.ErrPermissionDenied
}
// Remove old tracks // Remove old tracks
del := Delete(r.tableName).Where(Eq{"playlist_id": r.playlistId}) del := Delete(r.tableName).Where(Eq{"playlist_id": r.playlistId})
_, err := r.executeSQL(del) _, err := r.executeSQL(del)
@ -158,6 +168,9 @@ func (r *playlistTrackRepository) updateStats() error {
} }
func (r *playlistTrackRepository) Delete(id string) error { func (r *playlistTrackRepository) Delete(id string) error {
if !r.isWritable() {
return rest.ErrPermissionDenied
}
err := r.delete(And{Eq{"playlist_id": r.playlistId}, Eq{"id": id}}) err := r.delete(And{Eq{"playlist_id": r.playlistId}, Eq{"id": id}})
if err != nil { if err != nil {
return err return err
@ -166,6 +179,9 @@ func (r *playlistTrackRepository) Delete(id string) error {
} }
func (r *playlistTrackRepository) Reorder(pos int, newPos int) error { func (r *playlistTrackRepository) Reorder(pos int, newPos int) error {
if !r.isWritable() {
return rest.ErrPermissionDenied
}
ids, err := r.getTracks() ids, err := r.getTracks()
if err != nil { if err != nil {
return err return err
@ -174,4 +190,13 @@ func (r *playlistTrackRepository) Reorder(pos int, newPos int) error {
return r.Update(newOrder) return r.Update(newOrder)
} }
func (r *playlistTrackRepository) isWritable() bool {
usr := loggedUser(r.ctx)
if usr.IsAdmin {
return true
}
pls, err := r.playlistRepo.Get(r.playlistId)
return err == nil && pls.Owner == usr.UserName
}
var _ model.PlaylistTrackRepository = (*playlistTrackRepository)(nil) var _ model.PlaylistTrackRepository = (*playlistTrackRepository)(nil)