fix(api): use query builder for user requests endpoint (#2119)

server/routes/user/index.ts

@@ -194,14 +194,11 @@ router.use('/:id/settings', userSettingsRoutes);
 router.get<{ id: string }, UserRequestsResponse>(
   '/:id/requests',
   async (req, res, next) => {
-    const userRepository = getRepository(User);
-    const requestRepository = getRepository(MediaRequest);
-
     const pageSize = req.query.take ? Number(req.query.take) : 20;
     const skip = req.query.skip ? Number(req.query.skip) : 0;
 
     try {
-      const user = await userRepository.findOne({
+      const user = await getRepository(User).findOne({
         where: { id: Number(req.params.id) },
       });
 
@@ -209,12 +206,32 @@ router.get<{ id: string }, UserRequestsResponse>(
         return next({ status: 404, message: 'User not found.' });
       }
 
-      const [requests, requestCount] = await requestRepository.findAndCount({
+      if (
-        where: { requestedBy: user },
+        user.id !== req.user?.id &&
-        order: { id: 'DESC' },
+        !req.user?.hasPermission(
-        take: pageSize,
+          [Permission.MANAGE_REQUESTS, Permission.REQUEST_VIEW],
-        skip,
+          { type: 'or' }
-      });
+        )
+      ) {
+        return next({
+          status: 403,
+          message: "You do not have permission to view this user's requests.",
+        });
+      }
+
+      const [requests, requestCount] = await getRepository(MediaRequest)
+        .createQueryBuilder('request')
+        .leftJoinAndSelect('request.media', 'media')
+        .leftJoinAndSelect('request.seasons', 'seasons')
+        .leftJoinAndSelect('request.modifiedBy', 'modifiedBy')
+        .leftJoinAndSelect('request.requestedBy', 'requestedBy')
+        .andWhere('requestedBy.id = :id', {
+          id: req.user?.id,
+        })
+        .orderBy('request.id', 'DESC')
+        .take(pageSize)
+        .skip(skip)
+        .getManyAndCount();
 
       return res.status(200).json({
         pageInfo: {