mirror/advplyr.audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-08-03 01:35:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Update:Give full permissions to admin users except updating root or viewing root api token #137

Browse source
This commit is contained in:
advplyr 2022-05-03 19:16:16 -05:00
parent 195a30096f
commit 2e070227ab
17 changed files with 75 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

16
server/controllers/BackupController.js
View file

@ -4,16 +4,16 @@ class BackupController {
constructor() { }
async create(req, res) {
if (!req.user.isRoot) {
Logger.error(`[BackupController] Non-Root user attempting to craete backup`, req.user)
if (!req.user.isAdminOrUp) {
Logger.error(`[BackupController] Non-admin user attempting to craete backup`, req.user)
return res.sendStatus(403)
}
this.backupManager.requestCreateBackup(res)
}
async delete(req, res) {
if (!req.user.isRoot) {
Logger.error(`[BackupController] Non-Root user attempting to delete backup`, req.user)
if (!req.user.isAdminOrUp) {
Logger.error(`[BackupController] Non-admin user attempting to delete backup`, req.user)
return res.sendStatus(403)
}
var backup = this.backupManager.backups.find(b => b.id === req.params.id)
@ -25,8 +25,8 @@ class BackupController {
}
async upload(req, res) {
if (!req.user.isRoot) {
Logger.error(`[BackupController] Non-Root user attempting to upload backup`, req.user)
if (!req.user.isAdminOrUp) {
Logger.error(`[BackupController] Non-admin user attempting to upload backup`, req.user)
return res.sendStatus(403)
}
if (!req.files.file) {
@ -37,8 +37,8 @@ class BackupController {
}
async apply(req, res) {
if (!req.user.isRoot) {
Logger.error(`[BackupController] Non-Root user attempting to apply backup`, req.user)
if (!req.user.isAdminOrUp) {
Logger.error(`[BackupController] Non-admin user attempting to apply backup`, req.user)
return res.sendStatus(403)
}
var backup = this.backupManager.backups.find(b => b.id === req.params.id)

6
server/controllers/LibraryController.js
View file

@ -320,7 +320,7 @@ class LibraryController {
// PATCH: Change the order of libraries
async reorder(req, res) {
if (!req.user.isRoot) {
if (!req.user.isAdminOrUp) {
Logger.error('[LibraryController] ReorderLibraries invalid user', req.user)
return res.sendStatus(403)
}
@ -457,7 +457,7 @@ class LibraryController {
}
async matchAll(req, res) {
if (!req.user.isRoot) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-root user attempted to match library items`, req.user)
return res.sendStatus(403)
}
@ -467,7 +467,7 @@ class LibraryController {
// GET: api/scan (Root)
async scan(req, res) {
if (!req.user.isRoot) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryController] Non-root user attempted to scan library`, req.user)
return res.sendStatus(403)
}

12
server/controllers/LibraryItemController.js
View file

@ -331,8 +331,8 @@ class LibraryItemController {
// DELETE: api/items/all
async deleteAll(req, res) {
if (!req.user.isRoot) {
Logger.warn('User other than root attempted to delete all library items', req.user)
if (!req.user.isAdminOrUp) {
Logger.warn('User other than admin attempted to delete all library items', req.user)
return res.sendStatus(403)
}
Logger.info('Removing all Library Items')
@ -341,10 +341,10 @@ class LibraryItemController {
else res.sendStatus(500)
}
// GET: api/items/:id/scan (Root)
// GET: api/items/:id/scan (admin)
async scan(req, res) {
if (!req.user.isRoot) {
Logger.error(`[LibraryItemController] Non-root user attempted to scan library item`, req.user)
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryItemController] Non-admin user attempted to scan library item`, req.user)
return res.sendStatus(403)
}
@ -361,7 +361,7 @@ class LibraryItemController {
// POST: api/items/:id/audio-metadata
async updateAudioFileMetadata(req, res) {
if (!req.user.isRoot) {
if (!req.user.isAdminOrUp) {
Logger.error(`[LibraryItemController] Non-root user attempted to update audio metadata`, req.user)
return res.sendStatus(403)
}

14
server/controllers/MiscController.js
View file

@ -159,10 +159,10 @@ class MiscController {
res.json(downloads)
}
// PATCH: api/settings (Root)
// PATCH: api/settings (admin)
async updateServerSettings(req, res) {
if (!req.user.isRoot) {
Logger.error('User other than root attempting to update server settings', req.user)
if (!req.user.isAdminOrUp) {
Logger.error('User other than admin attempting to update server settings', req.user)
return res.sendStatus(403)
}
var settingsUpdate = req.body
@ -185,9 +185,9 @@ class MiscController {
})
}
// POST: api/purgecache (Root)
// POST: api/purgecache (admin)
async purgeCache(req, res) {
if (!req.user.isRoot) {
if (!req.user.isAdminOrUp) {
return res.sendStatus(403)
}
Logger.info(`[ApiRouter] Purging all cache`)
@ -239,8 +239,8 @@ class MiscController {
}
getAllTags(req, res) {
if (!req.user.isRoot) {
Logger.error(`[MiscController] Non-root user attempted to getAllTags`)
if (!req.user.isAdminOrUp) {
Logger.error(`[MiscController] Non-admin user attempted to getAllTags`)
return res.sendStatus(404)
}
var tags = []

32
server/controllers/UserController.js
View file

@ -7,14 +7,15 @@ class UserController {
constructor() { }
findAll(req, res) {
if (!req.user.isRoot) return res.sendStatus(403)
var users = this.db.users.map(u => this.userJsonWithItemProgressDetails(u))
if (!req.user.isAdminOrUp) return res.sendStatus(403)
const hideRootToken = !req.user.isRoot
var users = this.db.users.map(u => this.userJsonWithItemProgressDetails(u, hideRootToken))
res.json(users)
}
findOne(req, res) {
if (!req.user.isRoot) {
Logger.error('User other than root attempting to get user', req.user)
if (!req.user.isAdminOrUp) {
Logger.error('User other than admin attempting to get user', req.user)
return res.sendStatus(403)
}
@ -23,12 +24,12 @@ class UserController {
return res.sendStatus(404)
}
res.json(this.userJsonWithItemProgressDetails(user))
res.json(this.userJsonWithItemProgressDetails(user, !req.user.isRoot))
}
async create(req, res) {
if (!req.user.isRoot) {
Logger.warn('Non-root user attempted to create user', req.user)
if (!req.user.isAdminOrUp) {
Logger.warn('Non-admin user attempted to create user', req.user)
return res.sendStatus(403)
}
var account = req.body
@ -57,8 +58,8 @@ class UserController {
}
async update(req, res) {
if (!req.user.isRoot) {
Logger.error('User other than root attempting to update user', req.user)
if (!req.user.isAdminOrUp) {
Logger.error('[UserController] User other than admin attempting to update user', req.user)
return res.sendStatus(403)
}
@ -67,6 +68,11 @@ class UserController {
return res.sendStatus(404)
}
if (user.type === 'root' && !req.user.isRoot) {
Logger.error(`[UserController] Admin user attempted to update root user`, req.user.username)
return res.sendStatus(403)
}
var account = req.body
if (account.username !== undefined && account.username !== user.username) {
@ -95,8 +101,8 @@ class UserController {
}
async delete(req, res) {
if (!req.user.isRoot) {
Logger.error('User other than root attempting to delete user', req.user)
if (!req.user.isAdminOrUp) {
Logger.error('User other than admin attempting to delete user', req.user)
return res.sendStatus(403)
}
if (req.params.id === 'root') {
@ -133,7 +139,7 @@ class UserController {
// GET: api/users/:id/listening-sessions
async getListeningSessions(req, res) {
if (!req.user.isRoot && req.user.id !== req.params.id) {
if (!req.user.isAdminOrUp && req.user.id !== req.params.id) {
return res.sendStatus(403)
}
var listeningSessions = await this.getUserListeningSessionsHelper(req.params.id)
@ -142,7 +148,7 @@ class UserController {
// GET: api/users/:id/listening-stats
async getListeningStats(req, res) {
if (!req.user.isRoot && req.user.id !== req.params.id) {
if (!req.user.isAdminOrUp && req.user.id !== req.params.id) {
return res.sendStatus(403)
}
var listeningStats = await this.getUserListeningStatsHelpers(req.params.id)