From a37fe3c3d2262963831afd8c2863018ae30ab571 Mon Sep 17 00:00:00 2001 From: advplyr Date: Fri, 7 Feb 2025 17:09:48 -0600 Subject: [PATCH] Fix: Users with update permission unable to remove books from collection #3947 --- server/controllers/CollectionController.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/server/controllers/CollectionController.js b/server/controllers/CollectionController.js index 00b82ce9..475adfe0 100644 --- a/server/controllers/CollectionController.js +++ b/server/controllers/CollectionController.js @@ -251,6 +251,7 @@ class CollectionController { /** * DELETE: /api/collections/:id/book/:bookId * Remove a single book from a collection. Re-order books + * Users with update permission can remove books from collections * TODO: bookId is actually libraryItemId. Clients need updating to use bookId * * @param {CollectionControllerRequest} req @@ -427,7 +428,8 @@ class CollectionController { req.collection = collection } - if (req.method == 'DELETE' && !req.user.canDelete) { + // Users with update permission can remove books from collections + if (req.method == 'DELETE' && !req.params.bookId && !req.user.canDelete) { Logger.warn(`[CollectionController] User "${req.user.username}" attempted to delete without permission`) return res.sendStatus(403) } else if ((req.method == 'PATCH' || req.method == 'POST') && !req.user.canUpdate) {