fix: harden shared access checks for playlists and files

pull/1163/head
voc0der 2 months ago
parent a84d08e64f
commit f6afb52808

@ -928,7 +928,7 @@ const optionalJwt = async function (req, res, next) {
const uuid = using_body ? req.body.uuid : req.query.uuid;
const uid = using_body ? req.body.uid : req.query.uid;
const playlist_id = using_body ? req.body.playlist_id : req.query.playlist_id;
const file = !playlist_id ? auth_api.getUserVideo(uuid, uid, true) : await files_api.getPlaylist(playlist_id, uuid, true);
const file = !playlist_id ? await auth_api.getUserVideo(uuid, uid, true) : await files_api.getPlaylist(playlist_id, uuid, true);
if (file) {
req.can_watch = true;
return next();

@ -482,7 +482,7 @@ exports.getUserPlaylist = async function(user_uid, playlistID, requireSharing =
let playlist = await db_api.getRecord('playlists', filter_obj);
// prevent unauthorized users from accessing the file info
if (requireSharing && !playlist['sharingEnabled']) playlist = null;
if (requireSharing && (!playlist || !playlist['sharingEnabled'])) playlist = null;
return playlist;
}

@ -194,7 +194,7 @@ exports.getPlaylist = async (playlist_id, user_uid = null, require_sharing = fal
}
// prevent unauthorized users from accessing the file info
if (require_sharing && !playlist['sharingEnabled']) return null;
if (require_sharing && (!playlist || !playlist['sharingEnabled'])) return null;
return playlist;
}

Loading…
Cancel
Save