Disallow creating or deleting a library if not owner role (#581)

Dusk-Labs · Nov 27, 2023 · 619329d · 619329d
1 parent b13b745
commit 619329d
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 17 deletions.
diff --git a/dim-web/src/routes/library.rs b/dim-web/src/routes/library.rs
@@ -3,6 +3,7 @@
 use std::collections::HashMap;
 use std::sync::Arc;
 
+use axum::Extension;
 use axum::extract::{Path, Query, State};
 use axum::response::{IntoResponse, Response};
 use axum::Json;
@@ -13,6 +14,7 @@ use dim_database::compact_mediafile::CompactMediafile;
 use dim_database::library::{InsertableLibrary, Library, MediaType};
 use dim_database::media::Media;
 use dim_database::mediafile::MediaFile;
+use dim_database::user::User;
 
 use dim_extern_api::tmdb::TMDBMetadataProvider;
 
@@ -29,9 +31,16 @@ use crate::AppState;
 /// been created. This method can only be accessed by authenticated users. Method returns 200 OK
 ///
 pub async fn library_post(
+    Extension(user): Extension<User>,
     State(state): State<AppState>,
     Json(new_library): Json<InsertableLibrary>,
 ) -> Response {
+    if !user.has_role("owner") {
+        return (
+            StatusCode::UNAUTHORIZED,
+            "User account is not allowed to add a library.".to_string(),
+        ).into_response();
+    }
     let mut lock = state.conn.writer().lock_owned().await;
 
     let mut tx = match dim_database::write_tx(&mut lock).await {
@@ -87,9 +96,13 @@ pub async fn library_post(
 
 /// Method mapped to `DELETE /api/v1/library/<id>` deletes the library with the supplied id from the path.
 pub async fn library_delete(
+    Extension(user): Extension<User>,
     State(AppState { conn, .. }): State<AppState>,
     Path(id): Path<i64>,
 ) -> Result<StatusCode, DimErrorWrapper> {
+    if !user.has_role("owner") {
+        return Err(DimErrorWrapper(DimError::Unauthorized));
+    }
     // First we mark the library as scheduled for deletion which will make the library and all its
     // content hidden. This is necessary because huge libraries take a long time to delete.
     {

diff --git a/ui/src/Components/Sidebar/Libraries.jsx b/ui/src/Components/Sidebar/Libraries.jsx
@@ -15,6 +15,7 @@ import Library from "./Library";
 function Libraries() {
   const dispatch = useDispatch();
 
+  const user = useSelector((store) => store.user);
   const libraries = useSelector((store) => store.library.fetch_libraries);
   const ws = useWebSocket();
 
@@ -63,9 +64,11 @@ function Libraries() {
     <section className="libraries">
       <header>
         <h4>Libraries</h4>
-        <NewLibraryModal>
-          <button className="openNewLibrary">+</button>
-        </NewLibraryModal>
+        {user.info.roles?.includes("owner") && (
+          <NewLibraryModal>
+            <button className="openNewLibrary">+</button>
+          </NewLibraryModal>
+        )}
       </header>
       <div className="list">{libs}</div>
     </section>

diff --git a/ui/src/Pages/Dashboard/Banners/Banner.tsx b/ui/src/Pages/Dashboard/Banners/Banner.tsx
@@ -19,8 +19,9 @@ interface Props {
 }
 
 function Banner({ data, isError, isFetching }: Props) {
-  const { libraries } = useAppSelector((store) => ({
+  const { libraries, user } = useAppSelector((store) => ({
     libraries: store.library.fetch_libraries,
+    user: store.user,
   }));
 
   if (isFetching || isError) {
@@ -39,9 +40,11 @@ function Banner({ data, isError, isFetching }: Props) {
               Populate the folders they are pointing to with media or add
               another library with existing media
             </p>
-            <NewLibraryModal>
-              <button>Add another library</button>
-            </NewLibraryModal>
+            {user.info.roles?.includes("owner") && (
+              <NewLibraryModal>
+                <button>Add another library</button>
+              </NewLibraryModal>
+            )}
           </div>
         </div>
       );
@@ -56,9 +59,11 @@ function Banner({ data, isError, isFetching }: Props) {
               You will be able to see all the media from your libraries here,
               organized for quick and easy access.
             </p>
-            <NewLibraryModal>
-              <button>Add library</button>
-            </NewLibraryModal>
+            {user.info.roles?.includes("owner") && (
+              <NewLibraryModal>
+                <button>Add library</button>
+              </NewLibraryModal>
+            )}
           </div>
         </div>
       );

diff --git a/ui/src/Pages/Library/Dropdown.jsx b/ui/src/Pages/Library/Dropdown.jsx
@@ -1,4 +1,5 @@
 import { useCallback, useEffect, useRef, useState } from "react";
+import { useSelector } from "react-redux";
 import { useParams } from "react-router";
 
 import Delete from "./Actions/Delete";
@@ -11,6 +12,8 @@ function Dropdown() {
   const dropdownRef = useRef(null);
   const params = useParams();
 
+  const user = useSelector((store) => store.user);
+
   const [dropdownVisible, setDropdownVisible] = useState(false);
 
   const handleClick = useCallback((e) => {
@@ -43,13 +46,15 @@ function Dropdown() {
         <div />
         <div />
       </div>
-      <div className={`dropDownContent visible-${dropdownVisible}`}>
-        <Delete id={params.id} />
-        <button className="rename">
-          Rename library
-          <EditIcon />
-        </button>
-      </div>
+      {user.info.roles?.includes("owner") && (
+        <div className={`dropDownContent visible-${dropdownVisible}`}>
+          <Delete id={params.id} />
+          <button className="rename">
+            Rename library
+            <EditIcon />
+          </button>
+        </div>
+      )}
     </div>
   );
 }