From 05820aa820b5ac0b9d8ce71efedae19fc8614269 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Sun, 17 Dec 2023 11:17:35 -0600
Subject: [PATCH] Update:API endpoints /podcasts/feed and /podcasts/opml
 restricted to admin users

---
 server/controllers/PodcastController.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/server/controllers/PodcastController.js b/server/controllers/PodcastController.js
index 22c3cafa..035f9152 100644
--- a/server/controllers/PodcastController.js
+++ b/server/controllers/PodcastController.js
@@ -16,7 +16,7 @@ class PodcastController {
 
   async create(req, res) {
     if (!req.user.isAdminOrUp) {
-      Logger.error(`[PodcastController] Non-admin user attempted to create podcast`, req.user)
+      Logger.error(`[PodcastController] Non-admin user "${req.user.username}" attempted to create podcast`)
       return res.sendStatus(403)
     }
     const payload = req.body
@@ -103,6 +103,11 @@ class PodcastController {
   }
 
   async getPodcastFeed(req, res) {
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[PodcastController] Non-admin user "${req.user.username}" attempted to get podcast feed`)
+      return res.sendStatus(403)
+    }
+
     var url = req.body.rssFeed
     if (!url) {
       return res.status(400).send('Bad request')
@@ -116,6 +121,11 @@ class PodcastController {
   }
 
   async getFeedsFromOPMLText(req, res) {
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[PodcastController] Non-admin user "${req.user.username}" attempted to get feeds from opml`)
+      return res.sendStatus(403)
+    }
+
     if (!req.body.opmlText) {
       return res.sendStatus(400)
     }