some playlist ownership check

This commit is contained in:
nixo 2019-05-19 23:27:44 +02:00
parent c7a7dbd7fa
commit 61449fd235
4 changed files with 48 additions and 15 deletions

View File

@ -7,6 +7,10 @@ import UUIDs
import HTTP import HTTP
using JSON2 using JSON2
# # Playlist cover art support
# The idea is to sum all the album arts in some way. But it's easier to get one random
# using FileIO, Images
const domain = "nixo.xyz" const domain = "nixo.xyz"
include("types.jl") include("types.jl")

View File

@ -292,7 +292,10 @@ function createPlaylist(req)
return not_found("playlistId") return not_found("playlistId")
end end
elseif !isempty(name) elseif !isempty(name)
playlist = Playlist(req[:login][:user].name, name = name) playlist = Playlist(req[:login][:user].name,
name = name,
# cover = ???
)
push!(playlist, song) push!(playlist, song)
else else
return missing_parameter("either name or playlistId") return missing_parameter("either name or playlistId")
@ -319,15 +322,21 @@ function getPlaylists(req)
return subsonic_return(xdoc) return subsonic_return(xdoc)
end end
import Base.get
function get(::Type{Playlist}, u::User, id::AbstractString)
global user_playlists
findfirst(p -> p.uuid == id,
filter(p -> canread(u, p),
user_playlists))
end
"Returns a listing of files in a saved playlist." "Returns a listing of files in a saved playlist."
function getPlaylist(req) function getPlaylist(req)
global user_playlists global user_playlists
query = HTTP.URIs.queryparams(req[:query]) query = HTTP.URIs.queryparams(req[:query])
id = get(query, "id", "") id = get(query, "id", "")
isempty(id) && return missing_parameter("id") isempty(id) && return missing_parameter("id")
m = findfirst(p -> p.uuid == id, m = get(Playlist, req[:login][:user], id)
filter(p -> canread(req[:login][:user], p),
user_playlists))
m == nothing && return not_found("id") m == nothing && return not_found("id")
(xdoc, xroot) = subsonic() (xdoc, xroot) = subsonic()
append!(xroot, user_playlists[m]) append!(xroot, user_playlists[m])
@ -340,11 +349,12 @@ function updatePlaylist(req)
query = HTTP.URIs.queryparams(req[:query]) query = HTTP.URIs.queryparams(req[:query])
playlistId = get(query, "playlistId", "") playlistId = get(query, "playlistId", "")
isempty(playlistId) && return missing_parameter("playlistId") isempty(playlistId) && return missing_parameter("playlistId")
# FIXME: check ownership m = get(Playlist, req[:login][:user], playlistId)
pn = findfirst(p -> p.uuid == playlistId, m == nothing && return not_found("playlistId")
user_playlists) playlist = user_playlists[m]
pn == nothing && return not_found("playlistId")
playlist = user_playlists[pn] # Check ownership (if not allowed, should not even reach this (canread is false))
canedit(req[:login][:user], playlist) || return not_allowed()
playlist.name = get(query, "name", playlist.name) playlist.name = get(query, "name", playlist.name)
playlist.comment = get(query, "comment", playlist.comment) playlist.comment = get(query, "comment", playlist.comment)
# FIXME: use try/catch # FIXME: use try/catch
@ -376,8 +386,14 @@ function deletePlaylist(req)
query = HTTP.URIs.queryparams(req[:query]) query = HTTP.URIs.queryparams(req[:query])
id = get(query, "id", "") id = get(query, "id", "")
isempty(id) && return missing_parameter("id") isempty(id) && return missing_parameter("id")
# FIXME: check ownership m = findfirst(p -> p.uuid == id, user_playlists)
filter!(p -> p.uuid != id, user_playlists) m === nothing && return not_found("id")
if !canedit(req[:login][:user], user_playlists[m])
return unuthorized()
end
deleteat!(user_playlists, m)
saveplaylists() saveplaylists()
@subsonic(nothing) @subsonic(nothing)
end end

View File

@ -43,7 +43,22 @@ GET :url/stream:auth&id=df5937fd-d79b-40b5-bf14-8c29c54e1bdb
GET :url/getPlaylists:auth GET :url/getPlaylists:auth
# Get single playlist # Get single playlist
GET :url/getPlaylist:auth&id=512c6d5e-798f-47f7-a50d-116ef647109e GET :url/getPlaylist:auth&id=a2df9320-4775-40a5-9830-8960f3eb9203
# Get not owned playlist
GET :url/getPlaylist:auth&id=799f5074-5db2-4daa-b449-9677d0c7744c
# Delete not owned playlist
GET :url/deletePlaylist:auth&id=799f5074-5db2-4daa-b449-9677d0c7744c
# Update not owned playlist
GET :url/updatePlaylist:auth&playlistId=799f5074-5db2-4daa-b449-9677d0c7744c
# Update owned playlist
GET :url/updatePlaylist:auth&playlistId=a2df9320-4775-40a5-9830-8960f3eb9203&name=nuovo
# Delete owned playlist
GET :url/deletePlaylist:auth&id=a2df9320-4775-40a5-9830-8960f3eb9203

View File

@ -54,9 +54,7 @@ function loadusers(; file = expanduser("~/.config/beets/users.jsonl"))
ps = JSON2.readlines(file) ps = JSON2.readlines(file)
p = JSON2.read.(ps, JlSonic.User) p = JSON2.read.(ps, JlSonic.User)
empty!(users) empty!(users)
for pl in p append!(users, p)
push!(users, pl)
end
end end
sonic_login = stack(getlogin, checkpassword) sonic_login = stack(getlogin, checkpassword)