fix: set editRequest attribute as necessary, allow users to edit their own pending requests, and show 'View Request' button on series pages (#1446)

* fix: set editRequest attribute for RequestModal * fix: remove now-unneeded conditional * fix(ui): only show 'View Request' for user's own requests if they don't have MANAGE_REQUESTS perm * fix(ui): show edit button on request list for own requests & 'View Request' button on series pages * fix(ui): do not show 'Request More' if user already has a pending request * fix: address PR comments * fix(lang): edit usercreatedfaileexisting string & generate translation key * fix: users should always be able to view/edit their own requests even if their perms have changed also fixed capitalization of 'Signing In...' string
2025-09-17 17:24:35 +02:00 · 2021-04-18 23:12:05 -04:00
parent f13f1c9451
commit 89455ad9b7
10 changed files with 246 additions and 182 deletions
--- a/server/routes/request.ts
+++ b/server/routes/request.ts
@@ -493,7 +493,6 @@ requestRoutes.get('/:requestId', async (req, res, next) => {

 requestRoutes.put<{ requestId: string }>(
  '/:requestId',
-  isAuthenticated(Permission.MANAGE_REQUESTS),
  async (req, res, next) => {
    const requestRepository = getRepository(MediaRequest);
    const userRepository = getRepository(User);
@@ -503,17 +502,30 @@ requestRoutes.put<{ requestId: string }>(
      );

      if (!request) {
-        return next({ status: 404, message: 'Request not found' });
+        return next({ status: 404, message: 'Request not found.' });
+      }
+
+      if (
+        (request.requestedBy.id !== req.user?.id ||
+          (req.body.mediaType !== 'tv' &&
+            !req.user?.hasPermission(Permission.REQUEST_ADVANCED))) &&
+        !req.user?.hasPermission(Permission.MANAGE_REQUESTS)
+      ) {
+        return next({
+          status: 403,
+          message: 'You do not have permission to modify this request.',
+        });
      }

      let requestUser = req.user;

      if (
        req.body.userId &&
-        !(
-          req.user?.hasPermission(Permission.MANAGE_USERS) &&
-          req.user?.hasPermission(Permission.MANAGE_REQUESTS)
-        )
+        req.body.userId !== req.user?.id &&
+        !req.user?.hasPermission([
+          Permission.MANAGE_USERS,
+          Permission.MANAGE_REQUESTS,
+        ])
      ) {
        return next({
          status: 403,
@@ -546,7 +558,7 @@ requestRoutes.put<{ requestId: string }>(

        if (!requestedSeasons || requestedSeasons.length === 0) {
          throw new Error(
-            'Missing seasons. If you want to cancel a tv request, use the DELETE method.'
+            'Missing seasons. If you want to cancel a series request, use the DELETE method.'
          );
        }

@@ -633,7 +645,7 @@ requestRoutes.delete('/:requestId', async (req, res, next) => {
    ) {
      return next({
        status: 401,
-        message: 'You do not have permission to remove this request',
+        message: 'You do not have permission to delete this request.',
      });
    }

@@ -642,7 +654,7 @@ requestRoutes.delete('/:requestId', async (req, res, next) => {
    return res.status(204).send();
  } catch (e) {
    logger.error(e.message);
-    next({ status: 404, message: 'Request not found' });
+    next({ status: 404, message: 'Request not found.' });
  }
 });

@@ -668,7 +680,7 @@ requestRoutes.post<{
        label: 'Media Request',
        message: e.message,
      });
-      next({ status: 404, message: 'Request not found' });
+      next({ status: 404, message: 'Request not found.' });
    }
  }
 );
@@ -712,7 +724,7 @@ requestRoutes.post<{
        label: 'Media Request',
        message: e.message,
      });
-      next({ status: 404, message: 'Request not found' });
+      next({ status: 404, message: 'Request not found.' });
    }
  }
 );