fix(permissions): 🐛 Improved the security around the role "Manage Own Requests" (#4397)

* Secure ManageOwnRequests API paths Fixes #4391 * Hide delete request option if user is not allowed * Refactor CheckOwnRequests * Fix deleteRequest test * Improve performance and clean up code * Fix manageOwnRequests check * Refactor CheckCanManageRequest
2025-07-07 13:41:13 -07:00 · 2021-11-11 11:21:44 +01:00 · 2021-11-11 11:21:44 +01:00 · 334a32bca4
commit 334a32bca4
parent 4410790bc0
18 changed files with 106 additions and 36 deletions
--- a/src/Ombi.Core/Engine/BaseMediaEngine.cs
+++ b/src/Ombi.Core/Engine/BaseMediaEngine.cs
@ -78,6 +78,32 @@ namespace Ombi.Core.Engine
            return _dbTv;
        }

+        protected async Task<RequestEngineResult> CheckCanManageRequest(BaseRequest request) {
+            var errorResult = new RequestEngineResult {
+                Result = false,
+                ErrorCode = ErrorCode.NoPermissions
+            };
+            var successResult = new RequestEngineResult { Result = true };
+            
+            // Admins can always manage requests
+            var isAdmin = await IsInRole(OmbiRoles.PowerUser) || await IsInRole(OmbiRoles.Admin);
+            if (isAdmin) {
+                return successResult;
+            }
+
+            // Users with 'ManageOwnRequests' can only manage their own requests
+            var canManageOwnRequests = await IsInRole(OmbiRoles.ManageOwnRequests);
+            if (!canManageOwnRequests) {
+                return errorResult;
+            }
+            var isRequestedBySameUser = ( await GetUser() ).Id == request.RequestedUser?.Id;
+            if (isRequestedBySameUser) {
+                return successResult;
+            }
+
+            return errorResult;
+        }
+
        public RequestCountModel RequestCount()
        {
            var movieQuery = MovieRepository.GetAll();