fix(playlist): do not return playlist if user cannot read it

nadiamoe · nadiamoe · commit 4bd0f7a35196 · 2024-07-03T21:09:14.000+02:00
diff --git a/server/ctrlsubsonic/handlers_playlist.go b/server/ctrlsubsonic/handlers_playlist.go
@@ -49,13 +49,14 @@ func (c *Controller) ServeGetPlaylists(r *http.Request) *spec.Response {
 }
 
 func (c *Controller) ServeGetPlaylist(r *http.Request) *spec.Response {
+	user := r.Context().Value(CtxUser).(*db.User)
 	params := r.Context().Value(CtxParams).(params.Params)
 	playlistID, err := params.GetFirst("id", "playlistId")
 	if err != nil {
 		return spec.NewError(10, "please provide an `id` parameter")
 	}
 	playlist, err := c.playlistStore.Read(playlistIDDecode(playlistID))
-	if err != nil {
+	if err != nil || !playlist.CanRead(user.ID) {
 		return spec.NewError(70, "playlist with id %s not found", playlistID)
 	}
 	sub := spec.NewResponse()

Original file line number	Diff line number	Diff line change
`@@ -49,13 +49,14 @@ func (c Controller) ServeGetPlaylists(r http.Request) *spec.Response {`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`func (c Controller) ServeGetPlaylist(r http.Request) *spec.Response {`
	`52`	`+ user := r.Context().Value(CtxUser).(*db.User)`
`52`	`53`	`params := r.Context().Value(CtxParams).(params.Params)`
`53`	`54`	`playlistID, err := params.GetFirst("id", "playlistId")`
`54`	`55`	`if err != nil {`
`55`	`56`	return spec.NewError(10, "please provide an `id` parameter")
`56`	`57`	`}`
`57`	`58`	`playlist, err := c.playlistStore.Read(playlistIDDecode(playlistID))`
`58`		`- if err != nil {`
	`59`	`+ if err != nil \|\| !playlist.CanRead(user.ID) {`
`59`	`60`	`return spec.NewError(70, "playlist with id %s not found", playlistID)`
`60`	`61`	`}`
`61`	`62`	`sub := spec.NewResponse()`