Fixed a RBS permission issue with Series Detail allowing a user to ac…

…cess a series without library access due to crafting a url with a library they do have access to.

API/Data/Repositories/LibraryRepository.cs

@@ -38,6 +38,7 @@ public interface ILibraryRepository
     Task<IEnumerable<Library>> GetLibrariesAsync(LibraryIncludes includes = LibraryIncludes.None);
     Task<bool> DeleteLibrary(int libraryId);
     Task<IEnumerable<Library>> GetLibrariesForUserIdAsync(int userId);
+    Task<IEnumerable<int>> GetLibraryIdsForUserIdAsync(int userId);
     Task<LibraryType> GetLibraryTypeAsync(int libraryId);
     Task<IEnumerable<Library>> GetLibraryForIdsAsync(IEnumerable<int> libraryIds, LibraryIncludes includes = LibraryIncludes.None);
     Task<int> GetTotalFiles();
@@ -111,6 +112,11 @@ public async Task<bool> DeleteLibrary(int libraryId)
         return await _context.SaveChangesAsync() > 0;
     }
 
+    /// <summary>
+    /// This does not track
+    /// </summary>
+    /// <param name="userId"></param>
+    /// <returns></returns>
     public async Task<IEnumerable<Library>> GetLibrariesForUserIdAsync(int userId)
     {
         return await _context.Library
@@ -120,6 +126,14 @@ public async Task<IEnumerable<Library>> GetLibrariesForUserIdAsync(int userId)
             .ToListAsync();
     }
 
+    public async Task<IEnumerable<int>> GetLibraryIdsForUserIdAsync(int userId)
+    {
+        return await _context.Library
+            .Where(l => l.AppUsers.Select(ap => ap.Id).Contains(userId))
+            .Select(l => l.Id)
+            .ToListAsync();
+    }
+
     public async Task<LibraryType> GetLibraryTypeAsync(int libraryId)
     {
         return await _context.Library

API/Services/SeriesService.cs

@@ -13,6 +13,7 @@
 using API.Entities.Enums;
 using API.Helpers;
 using API.SignalR;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 
 namespace API.Services;
@@ -462,6 +463,9 @@ public async Task<bool> DeleteMultipleSeries(IList<int> seriesIds)
     public async Task<SeriesDetailDto> GetSeriesDetail(int seriesId, int userId)
     {
         var series = await _unitOfWork.SeriesRepository.GetSeriesDtoByIdAsync(seriesId, userId);
+        var libraryIds = (await _unitOfWork.LibraryRepository.GetLibraryIdsForUserIdAsync(userId));
+        if (!libraryIds.Contains(series.LibraryId))
+            throw new UnauthorizedAccessException("User does not have access to the library this series belongs to");
 
         var libraryType = await _unitOfWork.LibraryRepository.GetLibraryTypeAsync(series.LibraryId);
         var volumes = (await _unitOfWork.VolumeRepository.GetVolumesDtoAsync(seriesId, userId))

UI/Web/src/app/series-detail/series-detail.component.ts

@@ -3,7 +3,7 @@ import { Title } from '@angular/platform-browser';
 import { ActivatedRoute, Router } from '@angular/router';
 import { NgbModal, NgbNavChangeEvent, NgbOffcanvas } from '@ng-bootstrap/ng-bootstrap';
 import { ToastrService } from 'ngx-toastr';
-import { forkJoin, Subject } from 'rxjs';
+import { catchError, forkJoin, of, Subject } from 'rxjs';
 import { take, takeUntil } from 'rxjs/operators';
 import { BulkSelectionService } from '../cards/bulk-selection.service';
 import { EditSeriesModalComponent } from '../cards/_modals/edit-series-modal/edit-series-modal.component';
@@ -511,7 +511,11 @@ export class SeriesDetailComponent implements OnInit, OnDestroy, AfterContentChe
         }
       });
 
-      this.seriesService.getSeriesDetail(this.seriesId).subscribe(detail => {
+      this.seriesService.getSeriesDetail(this.seriesId).pipe(catchError(err => {
+        this.router.navigateByUrl('/libraries');
+        return of(null);
+      })).subscribe(detail => {
+        if (detail == null) return;
         this.hasSpecials = detail.specials.length > 0;
         this.specials = detail.specials;