From a20f395c94c97dd7ddbc25590f15def2c9bf13c9 Mon Sep 17 00:00:00 2001
From: TheCatLady <52870424+TheCatLady@users.noreply.github.com>
Date: Fri, 8 Oct 2021 09:14:20 -0400
Subject: [PATCH] fix(api): use query builder for user requests endpoint
 (#2119)

---
 server/routes/user/index.ts | 37 +++++++++++++++++++++++++++----------
 1 file changed, 27 insertions(+), 10 deletions(-)

diff --git a/server/routes/user/index.ts b/server/routes/user/index.ts
index 4bccc772d..5d847e232 100644
--- a/server/routes/user/index.ts
+++ b/server/routes/user/index.ts
@@ -194,14 +194,11 @@ router.use('/:id/settings', userSettingsRoutes);
 router.get<{ id: string }, UserRequestsResponse>(
   '/:id/requests',
   async (req, res, next) => {
-    const userRepository = getRepository(User);
-    const requestRepository = getRepository(MediaRequest);
-
     const pageSize = req.query.take ? Number(req.query.take) : 20;
     const skip = req.query.skip ? Number(req.query.skip) : 0;
 
     try {
-      const user = await userRepository.findOne({
+      const user = await getRepository(User).findOne({
         where: { id: Number(req.params.id) },
       });
 
@@ -209,12 +206,32 @@ router.get<{ id: string }, UserRequestsResponse>(
         return next({ status: 404, message: 'User not found.' });
       }
 
-      const [requests, requestCount] = await requestRepository.findAndCount({
-        where: { requestedBy: user },
-        order: { id: 'DESC' },
-        take: pageSize,
-        skip,
-      });
+      if (
+        user.id !== req.user?.id &&
+        !req.user?.hasPermission(
+          [Permission.MANAGE_REQUESTS, Permission.REQUEST_VIEW],
+          { type: 'or' }
+        )
+      ) {
+        return next({
+          status: 403,
+          message: "You do not have permission to view this user's requests.",
+        });
+      }
+
+      const [requests, requestCount] = await getRepository(MediaRequest)
+        .createQueryBuilder('request')
+        .leftJoinAndSelect('request.media', 'media')
+        .leftJoinAndSelect('request.seasons', 'seasons')
+        .leftJoinAndSelect('request.modifiedBy', 'modifiedBy')
+        .leftJoinAndSelect('request.requestedBy', 'requestedBy')
+        .andWhere('requestedBy.id = :id', {
+          id: req.user?.id,
+        })
+        .orderBy('request.id', 'DESC')
+        .take(pageSize)
+        .skip(skip)
+        .getManyAndCount();
 
       return res.status(200).json({
         pageInfo: {