From 0b18a51c2e7dd15ab52fcd80f4dc4abda446e327 Mon Sep 17 00:00:00 2001 From: TidusJar Date: Wed, 1 Aug 2018 13:41:24 +0100 Subject: [PATCH] Tightened up the security from an API perspecitve --- src/Ombi/Controllers/RequestController.cs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/Ombi/Controllers/RequestController.cs b/src/Ombi/Controllers/RequestController.cs index 6f2187061..c60261d1b 100644 --- a/src/Ombi/Controllers/RequestController.cs +++ b/src/Ombi/Controllers/RequestController.cs @@ -8,6 +8,7 @@ using System.Collections.Generic; using System.Threading.Tasks; using Ombi.Store.Entities.Requests; using System.Diagnostics; +using Ombi.Attributes; using Ombi.Core.Models.UI; using Ombi.Models; using Ombi.Store.Entities; @@ -93,6 +94,7 @@ namespace Ombi.Controllers /// The request identifier. /// [HttpDelete("movie/{requestId:int}")] + [PowerUser] public async Task DeleteRequest(int requestId) { await MovieRequestEngine.RemoveMovieRequest(requestId); @@ -104,6 +106,7 @@ namespace Ombi.Controllers /// The Movie's ID /// [HttpPut("movie")] + [PowerUser] public async Task UpdateRequest([FromBody] MovieRequests model) { return await MovieRequestEngine.UpdateMovieRequest(model); @@ -115,6 +118,7 @@ namespace Ombi.Controllers /// The Movie's ID /// [HttpPost("movie/approve")] + [PowerUser] public async Task ApproveMovie([FromBody] MovieUpdateModel model) { return await MovieRequestEngine.ApproveMovieById(model.Id); @@ -126,6 +130,7 @@ namespace Ombi.Controllers /// The Movie's ID /// [HttpPost("movie/available")] + [PowerUser] public async Task MarkMovieAvailable([FromBody] MovieUpdateModel model) { return await MovieRequestEngine.MarkAvailable(model.Id); @@ -137,6 +142,7 @@ namespace Ombi.Controllers /// The Movie's ID /// [HttpPost("movie/unavailable")] + [PowerUser] public async Task MarkMovieUnAvailable([FromBody] MovieUpdateModel model) { return await MovieRequestEngine.MarkUnavailable(model.Id); @@ -148,6 +154,7 @@ namespace Ombi.Controllers /// The Movie's ID /// [HttpPut("movie/deny")] + [PowerUser] public async Task DenyMovie([FromBody] MovieUpdateModel model) { return await MovieRequestEngine.DenyMovieById(model.Id); @@ -261,6 +268,7 @@ namespace Ombi.Controllers /// The request identifier. /// [HttpDelete("tv/{requestId:int}")] + [PowerUser] public async Task DeleteTvRequest(int requestId) { await TvRequestEngine.RemoveTvRequest(requestId); @@ -272,6 +280,7 @@ namespace Ombi.Controllers /// The model. /// [HttpPut("tv")] + [PowerUser] public async Task UpdateRequest([FromBody] TvRequests model) { return await TvRequestEngine.UpdateTvRequest(model); @@ -283,6 +292,7 @@ namespace Ombi.Controllers /// The model. /// [HttpPut("tv/child")] + [PowerUser] public async Task UpdateChild([FromBody] ChildRequests child) { return await TvRequestEngine.UpdateChildRequest(child); @@ -294,6 +304,7 @@ namespace Ombi.Controllers /// This is the child request's ID /// [HttpPut("tv/deny")] + [PowerUser] public async Task DenyChild([FromBody] TvUpdateModel model) { return await TvRequestEngine.DenyChildRequest(model.Id); @@ -305,6 +316,7 @@ namespace Ombi.Controllers /// The Movie's ID /// [HttpPost("tv/available")] + [PowerUser] public async Task MarkTvAvailable([FromBody] TvUpdateModel model) { return await TvRequestEngine.MarkAvailable(model.Id); @@ -316,6 +328,7 @@ namespace Ombi.Controllers /// The Movie's ID /// [HttpPost("tv/unavailable")] + [PowerUser] public async Task MarkTvUnAvailable([FromBody] TvUpdateModel model) { return await TvRequestEngine.MarkUnavailable(model.Id); @@ -327,6 +340,7 @@ namespace Ombi.Controllers /// This is the child request's ID /// [HttpPost("tv/approve")] + [PowerUser] public async Task ApproveChild([FromBody] TvUpdateModel model) { return await TvRequestEngine.ApproveChildRequest(model.Id); @@ -337,6 +351,7 @@ namespace Ombi.Controllers /// /// The model. /// + [PowerUser] [HttpDelete("tv/child/{requestId:int}")] public async Task DeleteChildRequest(int requestId) {