fix: raise forbidden when viewing invisible track and not author

2020-11-21 16:39:16 +01:00 · 2020-11-21 16:39:16 +01:00 · 2da013583b
parent fb11a71663
commit 2da013583b
1 changed files with 5 additions and 0 deletions
--- a/routes/api/tracks.js
+++ b/routes/api/tracks.js
@ -332,6 +332,11 @@ router.get(
      req.payload ? User.findById(req.payload.id) : null,
      req.track.populate('author').execPopulate(),
    ]);
+
+    if (!req.track.visible && req.track.author._id.toString() !== req.payload?.id?.toString()) {
+      return res.sendStatus(403);
+    }
+
    return res.json({ track: req.track.toJSONFor(user, { body: true }) });
  }),
 );