From a37fe3c3d2262963831afd8c2863018ae30ab571 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Fri, 7 Feb 2025 17:09:48 -0600
Subject: [PATCH] Fix: Users with update permission unable to remove books from
 collection #3947

---
 server/controllers/CollectionController.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/controllers/CollectionController.js b/server/controllers/CollectionController.js
index 00b82ce9..475adfe0 100644
--- a/server/controllers/CollectionController.js
+++ b/server/controllers/CollectionController.js
@@ -251,6 +251,7 @@ class CollectionController {
   /**
    * DELETE: /api/collections/:id/book/:bookId
    * Remove a single book from a collection. Re-order books
+   * Users with update permission can remove books from collections
    * TODO: bookId is actually libraryItemId. Clients need updating to use bookId
    *
    * @param {CollectionControllerRequest} req
@@ -427,7 +428,8 @@ class CollectionController {
       req.collection = collection
     }
 
-    if (req.method == 'DELETE' && !req.user.canDelete) {
+    // Users with update permission can remove books from collections
+    if (req.method == 'DELETE' && !req.params.bookId && !req.user.canDelete) {
       Logger.warn(`[CollectionController] User "${req.user.username}" attempted to delete without permission`)
       return res.sendStatus(403)
     } else if ((req.method == 'PATCH' || req.method == 'POST') && !req.user.canUpdate) {