From 3c1a72b038fd178b4be4dc082cd1496474148d7e Mon Sep 17 00:00:00 2001 From: sct Date: Tue, 9 Mar 2021 15:04:24 +0000 Subject: [PATCH] fix(api): check correct permissions for auto approve when requests are created --- server/routes/request.ts | 95 +++++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 45 deletions(-) diff --git a/server/routes/request.ts b/server/routes/request.ts index afec0d258..085975218 100644 --- a/server/routes/request.ts +++ b/server/routes/request.ts @@ -211,32 +211,34 @@ requestRoutes.post( media, requestedBy: requestUser, // If the user is an admin or has the "auto approve" permission, automatically approve the request - status: - req.user?.hasPermission( + status: req.user?.hasPermission( + [ req.body.is4k ? Permission.AUTO_APPROVE_4K - : Permission.AUTO_APPROVE - ) || - req.user?.hasPermission( + : Permission.AUTO_APPROVE, req.body.is4k ? Permission.AUTO_APPROVE_4K_MOVIE - : Permission.AUTO_APPROVE_MOVIE - ) - ? MediaRequestStatus.APPROVED - : MediaRequestStatus.PENDING, - modifiedBy: - req.user?.hasPermission( + : Permission.AUTO_APPROVE_MOVIE, + Permission.MANAGE_REQUESTS, + ], + { type: 'or' } + ) + ? MediaRequestStatus.APPROVED + : MediaRequestStatus.PENDING, + modifiedBy: req.user?.hasPermission( + [ req.body.is4k ? Permission.AUTO_APPROVE_4K - : Permission.AUTO_APPROVE - ) || - req.user?.hasPermission( + : Permission.AUTO_APPROVE, req.body.is4k ? Permission.AUTO_APPROVE_4K_MOVIE - : Permission.AUTO_APPROVE_MOVIE - ) - ? req.user - : undefined, + : Permission.AUTO_APPROVE_MOVIE, + Permission.MANAGE_REQUESTS, + ], + { type: 'or' } + ) + ? req.user + : undefined, is4k: req.body.is4k, serverId: req.body.serverId, profileId: req.body.profileId, @@ -286,32 +288,34 @@ requestRoutes.post( media, requestedBy: requestUser, // If the user is an admin or has the "auto approve" permission, automatically approve the request - status: - req.user?.hasPermission( + status: req.user?.hasPermission( + [ req.body.is4k ? Permission.AUTO_APPROVE_4K - : Permission.AUTO_APPROVE - ) || - req.user?.hasPermission( + : Permission.AUTO_APPROVE, req.body.is4k ? Permission.AUTO_APPROVE_4K_TV - : Permission.AUTO_APPROVE_TV - ) - ? MediaRequestStatus.APPROVED - : MediaRequestStatus.PENDING, - modifiedBy: - req.user?.hasPermission( + : Permission.AUTO_APPROVE_TV, + Permission.MANAGE_REQUESTS, + ], + { type: 'or' } + ) + ? MediaRequestStatus.APPROVED + : MediaRequestStatus.PENDING, + modifiedBy: req.user?.hasPermission( + [ req.body.is4k ? Permission.AUTO_APPROVE_4K - : Permission.AUTO_APPROVE - ) || - req.user?.hasPermission( + : Permission.AUTO_APPROVE, req.body.is4k ? Permission.AUTO_APPROVE_4K_TV - : Permission.AUTO_APPROVE_TV - ) - ? req.user - : undefined, + : Permission.AUTO_APPROVE_TV, + Permission.MANAGE_REQUESTS, + ], + { type: 'or' } + ) + ? req.user + : undefined, is4k: req.body.is4k, serverId: req.body.serverId, profileId: req.body.profileId, @@ -321,19 +325,20 @@ requestRoutes.post( (sn) => new SeasonRequest({ seasonNumber: sn, - status: - req.user?.hasPermission( + status: req.user?.hasPermission( + [ req.body.is4k ? Permission.AUTO_APPROVE_4K - : Permission.AUTO_APPROVE - ) || - req.user?.hasPermission( + : Permission.AUTO_APPROVE, req.body.is4k ? Permission.AUTO_APPROVE_4K_TV - : Permission.AUTO_APPROVE_TV - ) - ? MediaRequestStatus.APPROVED - : MediaRequestStatus.PENDING, + : Permission.AUTO_APPROVE_TV, + Permission.MANAGE_REQUESTS, + ], + { type: 'or' } + ) + ? MediaRequestStatus.APPROVED + : MediaRequestStatus.PENDING, }) ), });