Fix: missing check for draft status on album editing

svsticky · Feb 22, 2024 · 78ec089 · 78ec089
1 parent b8fbc69
commit 78ec089
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/server/chroma/src/routes/v1/album/update.rs b/server/chroma/src/routes/v1/album/update.rs
@@ -35,6 +35,10 @@ pub async fn update(
         .await?
         .ok_or(Error::NotFound)?;
 
+    if !album.is_draft && !auth.is_admin {
+        return Err(Error::Forbidden);
+    }
+
     if let Some(name) = &payload.name {
         if name.len() > Album::MAX_NAME_LENGTH {
             return Err(Error::BadRequest(format!(