mirror of
https://github.com/navidrome/navidrome.git
synced 2026-06-19 07:37:15 +00:00
Deluan Quintão
11640f2e4d
* fix(security): restrict transcoding config reads to admins
Authenticated non-admin users could read transcoding configs through
the native API (GET /api/transcoding and /api/transcoding/{id}) when
EnableTranscodingConfig was enabled. The responses included the full
command templates, disclosing admin-configured ffmpeg invocations and
local command paths. Write operations were already admin-only.
The /transcoding route was registered in the general authenticated
group, and only the repository's write methods checked IsAdmin. This
applies the boundary at two layers:
- Move the route under adminOnlyMiddleware, alongside the other
admin-only resources (/library, /config, /inspect).
- Add an IsAdmin guard to the repository's rest.Repository read
methods (Read, ReadAll, Count) as defense-in-depth.
The guard is scoped to the REST methods only. The streaming pipeline
resolves profiles via Get/FindByFormat (model.TranscodingRepository),
which stay open so transcoding keeps working for non-admin users.
Adds regression tests covering non-admin read denial and confirming
non-admin streaming lookups (Get/FindByFormat) still succeed.
* fix(security): redact transcoding Command for non-admins instead of blocking reads
Reworks the previous approach after review (Codex P2): moving /transcoding
under adminOnlyMiddleware and denying non-admin reads broke legitimate
non-admin UI flows. The web UI reads the transcoding resource as a regular
user in several places that need only the profile name and target format:
the player edit dropdown (ReferenceInput), the player list (ReferenceField),
and the share/download format pickers (useGetList -> {targetFormat, name}).
The only sensitive field is Command (the admin-owned ffmpeg template). So:
- Revert the route move; /transcoding stays in the authenticated group.
- Read/ReadAll now return the profiles to any authenticated user but blank
the Command field for non-admins (mirrors user_repository's field-level
redaction). Count is no longer denied (the UI needs list pagination).
- Writes remain admin-only (Save/Update/Delete/Put).
- Streaming is unaffected: it resolves profiles via Get/FindByFormat, which
are not redacted, so on-the-fly transcoding keeps working for non-admins.
Tests updated: non-admin reads succeed with Command blank, admin reads keep
Command, non-admin Get/FindByFormat keep Command, writes still denied.
128 lines
3.0 KiB
Go
128 lines
3.0 KiB
Go
package persistence
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
. "github.com/Masterminds/squirrel"
|
|
"github.com/deluan/rest"
|
|
"github.com/navidrome/navidrome/model"
|
|
"github.com/pocketbase/dbx"
|
|
)
|
|
|
|
type transcodingRepository struct {
|
|
sqlRepository
|
|
}
|
|
|
|
func NewTranscodingRepository(ctx context.Context, db dbx.Builder) model.TranscodingRepository {
|
|
r := &transcodingRepository{}
|
|
r.ctx = ctx
|
|
r.db = db
|
|
r.registerModel(&model.Transcoding{}, nil)
|
|
return r
|
|
}
|
|
|
|
func (r *transcodingRepository) Get(id string) (*model.Transcoding, error) {
|
|
sel := r.newSelect().Columns("*").Where(Eq{"id": id})
|
|
var res model.Transcoding
|
|
err := r.queryOne(sel, &res)
|
|
return &res, err
|
|
}
|
|
|
|
func (r *transcodingRepository) CountAll(qo ...model.QueryOptions) (int64, error) {
|
|
return r.count(Select(), qo...)
|
|
}
|
|
|
|
func (r *transcodingRepository) FindByFormat(format string) (*model.Transcoding, error) {
|
|
sel := r.newSelect().Columns("*").Where(Eq{"target_format": format})
|
|
var res model.Transcoding
|
|
err := r.queryOne(sel, &res)
|
|
return &res, err
|
|
}
|
|
|
|
func (r *transcodingRepository) Put(t *model.Transcoding) error {
|
|
if !loggedUser(r.ctx).IsAdmin {
|
|
return rest.ErrPermissionDenied
|
|
}
|
|
_, err := r.put(t.ID, t)
|
|
return err
|
|
}
|
|
|
|
func (r *transcodingRepository) Count(options ...rest.QueryOptions) (int64, error) {
|
|
return r.count(Select(), r.parseRestOptions(r.ctx, options...))
|
|
}
|
|
|
|
func (r *transcodingRepository) Read(id string) (any, error) {
|
|
res, err := r.Get(id)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !loggedUser(r.ctx).IsAdmin {
|
|
res.Command = ""
|
|
}
|
|
return res, nil
|
|
}
|
|
|
|
func (r *transcodingRepository) ReadAll(options ...rest.QueryOptions) (any, error) {
|
|
sel := r.newSelect(r.parseRestOptions(r.ctx, options...)).Columns("*")
|
|
res := model.Transcodings{}
|
|
err := r.queryAll(sel, &res)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if !loggedUser(r.ctx).IsAdmin {
|
|
for i := range res {
|
|
res[i].Command = ""
|
|
}
|
|
}
|
|
return res, nil
|
|
}
|
|
|
|
func (r *transcodingRepository) EntityName() string {
|
|
return "transcoding"
|
|
}
|
|
|
|
func (r *transcodingRepository) NewInstance() any {
|
|
return &model.Transcoding{}
|
|
}
|
|
|
|
func (r *transcodingRepository) Save(entity any) (string, error) {
|
|
if !loggedUser(r.ctx).IsAdmin {
|
|
return "", rest.ErrPermissionDenied
|
|
}
|
|
t := entity.(*model.Transcoding)
|
|
id, err := r.put(t.ID, t)
|
|
if errors.Is(err, model.ErrNotFound) {
|
|
return "", rest.ErrNotFound
|
|
}
|
|
return id, err
|
|
}
|
|
|
|
func (r *transcodingRepository) Update(id string, entity any, cols ...string) error {
|
|
if !loggedUser(r.ctx).IsAdmin {
|
|
return rest.ErrPermissionDenied
|
|
}
|
|
t := entity.(*model.Transcoding)
|
|
t.ID = id
|
|
_, err := r.put(id, t)
|
|
if errors.Is(err, model.ErrNotFound) {
|
|
return rest.ErrNotFound
|
|
}
|
|
return err
|
|
}
|
|
|
|
func (r *transcodingRepository) Delete(id string) error {
|
|
if !loggedUser(r.ctx).IsAdmin {
|
|
return rest.ErrPermissionDenied
|
|
}
|
|
err := r.delete(Eq{"id": id})
|
|
if errors.Is(err, model.ErrNotFound) {
|
|
return rest.ErrNotFound
|
|
}
|
|
return err
|
|
}
|
|
|
|
var _ model.TranscodingRepository = (*transcodingRepository)(nil)
|
|
var _ rest.Repository = (*transcodingRepository)(nil)
|
|
var _ rest.Persistable = (*transcodingRepository)(nil)
|