From 2da013583b6fd71230cc8777431d592757911e6b Mon Sep 17 00:00:00 2001
From: Paul Bienkowski <pb@opatut.de>
Date: Sat, 21 Nov 2020 16:39:16 +0100
Subject: [PATCH] fix: raise forbidden when viewing invisible track and not
 author

---
 routes/api/tracks.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/routes/api/tracks.js b/routes/api/tracks.js
index 24e6827..80092b0 100644
--- a/routes/api/tracks.js
+++ b/routes/api/tracks.js
@@ -332,6 +332,11 @@ router.get(
       req.payload ? User.findById(req.payload.id) : null,
       req.track.populate('author').execPopulate(),
     ]);
+
+    if (!req.track.visible && req.track.author._id.toString() !== req.payload?.id?.toString()) {
+      return res.sendStatus(403);
+    }
+
     return res.json({ track: req.track.toJSONFor(user, { body: true }) });
   }),
 );