Fix album permissions by role

server/controllers/albums.controller.ts

@@ -8,9 +8,12 @@ const getDetail = async (
   req: TypedRequest<typeof validation.albums.detail>,
   res: Response
 ) => {
-  const { albumId } = req.params;
+  const { albumId, serverId } = req.params;
 
-  const album = await service.albums.findById(req.authUser, { id: albumId });
+  const album = await service.albums.findById(req.authUser, {
+    id: albumId,
+    serverId,
+  });
 
   const success = ApiSuccess.ok({
     data: toApiModel.albums({ items: [album], user: req.authUser })[0],

server/helpers/shared.helpers.ts

@@ -20,14 +20,22 @@ const checkServerPermissions = (
 
 const checkServerFolderPermissions = (
   user: AuthUser,
-  options: { serverFolderId?: string[] | string }
+  options: { serverFolderId?: string[] | string; serverId: string }
 ) => {
-  const { serverFolderId } = options;
+  const { serverFolderId, serverId } = options;
 
   if (user.isAdmin || !serverFolderId) {
     return;
   }
 
+  const isServerAdmin =
+    user.serverPermissions.find((s) => s.serverId === serverId)?.type ===
+    ServerPermissionType.ADMIN;
+
+  if (isServerAdmin) {
+    return;
+  }
+
   let ids: string[] = [];
   if (typeof serverFolderId === 'string') {
     ids = [serverFolderId];

server/routes/index.ts

@@ -1,4 +1,3 @@
-import { ServerPermissionType } from '@prisma/client';
 import { Router } from 'express';
 import { helpers } from '../helpers';
 import { authenticate } from '../middleware';
@@ -33,15 +32,10 @@ routes.param('serverId', (req, _res, next, serverId) => {
 
   helpers.shared.checkServerPermissions(req.authUser, { serverId });
 
-  const isNotServerAdmin =
+  helpers.shared.checkServerFolderPermissions(req.authUser, {
-    req.authUser.serverPermissions.find((s) => s.serverId === serverId)
+    serverFolderId,
-      ?.type !== ServerPermissionType.ADMIN;
+    serverId,
-
+  });
-  if (isNotServerAdmin) {
-    helpers.shared.checkServerFolderPermissions(req.authUser, {
-      serverFolderId,
-    });
-  }
 
   if (typeof req.query.serverFolderId === 'string') {
     req.query.serverFolderId = [req.query.serverFolderId];

server/services/albums.service.ts

@@ -6,8 +6,11 @@ import { AdvancedFilterGroup, AlbumSort } from '@helpers/albums.helpers';
 import { helpers } from '@helpers/index';
 import { prisma } from '@lib/prisma';
 
-const findById = async (user: AuthUser, options: { id: string }) => {
+const findById = async (
-  const { id } = options;
+  user: AuthUser,
+  options: { id: string; serverId: string }
+) => {
+  const { id, serverId } = options;
 
   const album = await prisma.album.findUnique({
     include: helpers.albums.include(user, { songs: true }),
@@ -19,7 +22,10 @@ const findById = async (user: AuthUser, options: { id: string }) => {
   }
 
   const serverFolderId = album.serverFolders.map((s) => s.id);
-  helpers.shared.checkServerFolderPermissions(user, { serverFolderId });
+  helpers.shared.checkServerFolderPermissions(user, {
+    serverFolderId,
+    serverId,
+  });
 
   return album;
 };