From 61449fd235b167cb961eec38fa44c8859c370535 Mon Sep 17 00:00:00 2001 From: nixo Date: Sun, 19 May 2019 23:27:44 +0200 Subject: [PATCH] some playlist ownership check --- JlSonic/JlSonic.jl | 4 ++++ JlSonic/api.jl | 38 +++++++++++++++++++++++++++----------- airsonic.rest | 17 ++++++++++++++++- login.jl | 4 +--- 4 files changed, 48 insertions(+), 15 deletions(-) diff --git a/JlSonic/JlSonic.jl b/JlSonic/JlSonic.jl index ecfafe6..d1145bf 100644 --- a/JlSonic/JlSonic.jl +++ b/JlSonic/JlSonic.jl @@ -7,6 +7,10 @@ import UUIDs import HTTP using JSON2 +# # Playlist cover art support +# The idea is to sum all the album arts in some way. But it's easier to get one random +# using FileIO, Images + const domain = "nixo.xyz" include("types.jl") diff --git a/JlSonic/api.jl b/JlSonic/api.jl index c764dbc..9dac677 100644 --- a/JlSonic/api.jl +++ b/JlSonic/api.jl @@ -292,7 +292,10 @@ function createPlaylist(req) return not_found("playlistId") end elseif !isempty(name) - playlist = Playlist(req[:login][:user].name, name = name) + playlist = Playlist(req[:login][:user].name, + name = name, + # cover = ??? + ) push!(playlist, song) else return missing_parameter("either name or playlistId") @@ -319,15 +322,21 @@ function getPlaylists(req) return subsonic_return(xdoc) end +import Base.get +function get(::Type{Playlist}, u::User, id::AbstractString) + global user_playlists + findfirst(p -> p.uuid == id, + filter(p -> canread(u, p), + user_playlists)) +end + "Returns a listing of files in a saved playlist." function getPlaylist(req) global user_playlists query = HTTP.URIs.queryparams(req[:query]) id = get(query, "id", "") isempty(id) && return missing_parameter("id") - m = findfirst(p -> p.uuid == id, - filter(p -> canread(req[:login][:user], p), - user_playlists)) + m = get(Playlist, req[:login][:user], id) m == nothing && return not_found("id") (xdoc, xroot) = subsonic() append!(xroot, user_playlists[m]) @@ -340,11 +349,12 @@ function updatePlaylist(req) query = HTTP.URIs.queryparams(req[:query]) playlistId = get(query, "playlistId", "") isempty(playlistId) && return missing_parameter("playlistId") - # FIXME: check ownership - pn = findfirst(p -> p.uuid == playlistId, - user_playlists) - pn == nothing && return not_found("playlistId") - playlist = user_playlists[pn] + m = get(Playlist, req[:login][:user], playlistId) + m == nothing && return not_found("playlistId") + playlist = user_playlists[m] + + # Check ownership (if not allowed, should not even reach this (canread is false)) + canedit(req[:login][:user], playlist) || return not_allowed() playlist.name = get(query, "name", playlist.name) playlist.comment = get(query, "comment", playlist.comment) # FIXME: use try/catch @@ -376,8 +386,14 @@ function deletePlaylist(req) query = HTTP.URIs.queryparams(req[:query]) id = get(query, "id", "") isempty(id) && return missing_parameter("id") - # FIXME: check ownership - filter!(p -> p.uuid != id, user_playlists) + m = findfirst(p -> p.uuid == id, user_playlists) + m === nothing && return not_found("id") + if !canedit(req[:login][:user], user_playlists[m]) + return unuthorized() + end + + deleteat!(user_playlists, m) + saveplaylists() @subsonic(nothing) end diff --git a/airsonic.rest b/airsonic.rest index be733e7..f2dc521 100644 --- a/airsonic.rest +++ b/airsonic.rest @@ -43,7 +43,22 @@ GET :url/stream:auth&id=df5937fd-d79b-40b5-bf14-8c29c54e1bdb GET :url/getPlaylists:auth # Get single playlist -GET :url/getPlaylist:auth&id=512c6d5e-798f-47f7-a50d-116ef647109e +GET :url/getPlaylist:auth&id=a2df9320-4775-40a5-9830-8960f3eb9203 + +# Get not owned playlist +GET :url/getPlaylist:auth&id=799f5074-5db2-4daa-b449-9677d0c7744c + +# Delete not owned playlist +GET :url/deletePlaylist:auth&id=799f5074-5db2-4daa-b449-9677d0c7744c + +# Update not owned playlist +GET :url/updatePlaylist:auth&playlistId=799f5074-5db2-4daa-b449-9677d0c7744c + +# Update owned playlist +GET :url/updatePlaylist:auth&playlistId=a2df9320-4775-40a5-9830-8960f3eb9203&name=nuovo + +# Delete owned playlist +GET :url/deletePlaylist:auth&id=a2df9320-4775-40a5-9830-8960f3eb9203 diff --git a/login.jl b/login.jl index 00e0f34..581551d 100644 --- a/login.jl +++ b/login.jl @@ -54,9 +54,7 @@ function loadusers(; file = expanduser("~/.config/beets/users.jsonl")) ps = JSON2.readlines(file) p = JSON2.read.(ps, JlSonic.User) empty!(users) - for pl in p - push!(users, pl) - end + append!(users, p) end sonic_login = stack(getlogin, checkpassword)