fix: don’t require showId for most playlist operations

Closes: #69

fix: don’t require showId for most playlist operations
35c39978 · Ernesto Rico Schmidt · a864b27e · 35c39978 · 35c39978
Verified Commit 35c39978 authored 1 year ago by Ernesto Rico Schmidt
--- a/api/v1/playlists.go
+++ b/api/v1/playlists.go
@@ -146,23 +146,30 @@ func (api *API) ReadPlaylistOfShow(c *gin.Context) {
 //	@Failure		500			{object}	ErrorResponse
 //	@Router			/api/v1/playlists/{id} [put]
 func (api *API) UpdatePlaylistOfShow(c *gin.Context) {
-	playlist := &store.Playlist{}
-	if err := json.NewDecoder(c.Request.Body).Decode(playlist); err != nil {
-		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "error decoding playlist: " + err.Error()})
+	playlistID, err := idFromString(c.Param("playlist-id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "invalid playlist-id: " + err.Error()})
 		return
 	}

-	if authorized, _ := authorizeRequestForShow(c, playlist.ShowID); !authorized {
+	// with this we are actively subverting the checks performed in api.store.UpdatePlaylist
+	showID, err := api.store.GetPlaylistShowID(playlistID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "wrong playlist-id: " + err.Error()})
 		return
 	}

-	id, err := idFromString(c.Param("playlist-id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "invalid playlist-id: " + err.Error()})
+	if authorized, _ := authorizeRequestForShow(c, showID); !authorized {
+		return
+	}
+
+	playlist := &store.Playlist{}
+	if err := json.NewDecoder(c.Request.Body).Decode(playlist); err != nil {
+		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "error decoding playlist: " + err.Error()})
 		return
 	}

-	if playlist, err = api.store.UpdatePlaylist(playlist.ShowID, id, *playlist); err != nil {
+	if playlist, err = api.store.UpdatePlaylist(showID, playlistID, *playlist); err != nil {
 		sendError(c, err)
 		return
 	}
@@ -182,23 +189,24 @@ func (api *API) UpdatePlaylistOfShow(c *gin.Context) {
 //	@Failure		500	{object}	ErrorResponse
 //	@Router			/api/v1/playlists/{id} [delete]
 func (api *API) DeletePlaylistOfShow(c *gin.Context) {
-	playlist := &store.Playlist{}
-	if err := json.NewDecoder(c.Request.Body).Decode(playlist); err != nil {
-		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "error decoding playlist: " + err.Error()})
+	playlistID, err := idFromString(c.Param("playlist-id"))
+	if err != nil {
+		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "invalid playlist-id: " + err.Error()})
 		return
 	}

-	if authorized, _ := authorizeRequestForShow(c, playlist.ShowID); !authorized {
+	// with this we are actively subverting the checks performed in api.store.DeletePlaylist
+	showID, err := api.store.GetPlaylistShowID(playlistID)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "wrong playlist-id: " + err.Error()})
 		return
 	}

-	id, err := idFromString(c.Param("playlist-id"))
-	if err != nil {
-		c.JSON(http.StatusBadRequest, ErrorResponse{Error: "invalid playlist-id: " + err.Error()})
+	if authorized, _ := authorizeRequestForShow(c, showID); !authorized {
 		return
 	}

-	if err = api.store.DeletePlaylist(playlist.ShowID, id); err != nil {
+	if err = api.store.DeletePlaylist(showID, playlistID); err != nil {
 		sendError(c, err)
 		return
 	}

--- a/store/playlists.go
+++ b/store/playlists.go
@@ -212,3 +212,14 @@ func (st *Store) GetPlaylistAllShows(id uint64) (playlist *Playlist, err error)
 	}).Preload("Entries.File").First(playlist, id).Error
 	return
 }
+
+func (st *Store) GetPlaylistShowID(id uint64) (uint64, error) {
+	// WARNING: using this function subverts the checks performed in the other functions
+	playlist := &Playlist{}
+
+	if err := st.db.First(playlist, "id = ?", id).Error; err != nil {
+		return 0, err
+	}
+
+	return playlist.ShowID, nil
+}