fix: blocklist-search lookup against queue cache instead of downloadClientRegistry
CI / Security audit (push) Successful in 1m52s
Docs Check / Markdown lint (push) Successful in 1m37s
Build and Push Docker Image / build (push) Successful in 2m2s
Licence Check / Licence compatibility and copyright header verification (push) Failing after 2m33s
CI / Swagger Validation & Coverage (push) Successful in 3m17s
Docs Check / Mermaid diagram parse check (push) Successful in 3m31s
CI / Tests & coverage (push) Successful in 4m5s
CI / Security audit (push) Successful in 1m52s
Docs Check / Markdown lint (push) Successful in 1m37s
Build and Push Docker Image / build (push) Successful in 2m2s
Licence Check / Licence compatibility and copyright header verification (push) Failing after 2m33s
CI / Swagger Validation & Coverage (push) Successful in 3m17s
Docs Check / Mermaid diagram parse check (push) Successful in 3m31s
CI / Tests & coverage (push) Successful in 4m5s
Fixes the root cause of the regression from v1.7.16. The v1.7.16 fix correctly cast arrQueueId to String, but the lookup was performed against downloadClientRegistry.getAllDownloads() which returns raw download client data (qBittorrent, SABnzbd, etc.) that never has arrQueueId populated. The fix now looks up the queue record directly from the Sonarr/Radarr queue cache where record.id is the numeric queue ID, using String() casting on both sides to handle the DOM-dataset (string) vs API response (number) type difference. Resolves Gitea Issue #48 Closes #48
This commit is contained in:
+1
-1
@@ -22,7 +22,7 @@ info:
|
||||
|
||||
## SSE Streaming
|
||||
Real-time updates are available via Server-Sent Events at GET /api/dashboard/stream.
|
||||
version: 1.7.16
|
||||
version: 1.7.17
|
||||
contact:
|
||||
name: sofarr
|
||||
license:
|
||||
|
||||
@@ -686,20 +686,33 @@ router.post('/blocklist-search', requireAuth, async (req, res) => {
|
||||
return res.status(400).json({ error: 'arrType must be sonarr or radarr' });
|
||||
}
|
||||
|
||||
// Look up the download to verify permission.
|
||||
// Note: arrQueueId from req.body is always a string (DOM dataset), while
|
||||
// d.arrQueueId from the Radarr/Sonarr API is a number. Cast both to String
|
||||
// to avoid a type mismatch causing a false-negative lookup.
|
||||
const allDownloads = await downloadClientRegistry.getAllDownloads();
|
||||
const download = allDownloads.find(d => d.arrQueueId != null && String(d.arrQueueId) === String(arrQueueId) && d.arrType === arrType);
|
||||
// Look up the queue record directly from the *arr cache.
|
||||
// downloadClientRegistry.getAllDownloads() returns raw download-client data
|
||||
// (qBittorrent, SABnzbd, etc.) which never has arrQueueId set — that field
|
||||
// is only populated later by DownloadMatcher during the SSE build phase.
|
||||
// Instead, we verify permission by finding the record in the Sonarr/Radarr
|
||||
// queue cache where record.id is the numeric queue ID.
|
||||
// Cast both sides to String to handle the DOM dataset → string vs API → number mismatch.
|
||||
const queueCacheKey = arrType === 'sonarr' ? 'poll:sonarr-queue' : 'poll:radarr-queue';
|
||||
const queueData = cache.get(queueCacheKey) || { records: [] };
|
||||
const queueRecord = (queueData.records || []).find(r => r.id != null && String(r.id) === String(arrQueueId));
|
||||
|
||||
if (!download) {
|
||||
console.error('[Blocklist] Download not found:', { arrQueueId, arrType });
|
||||
if (!queueRecord) {
|
||||
console.error('[Blocklist] Download not found in arr queue cache:', { arrQueueId, arrType });
|
||||
return res.status(403).json({ error: 'Download not found or permission denied' });
|
||||
}
|
||||
|
||||
// Build a minimal download-like object for canBlocklist eligibility check.
|
||||
// Includes importIssues so non-admins can blocklist stalled/import-pending items.
|
||||
const importIssues = require('../services/DownloadAssembler').getImportIssues(queueRecord);
|
||||
const downloadForCheck = {
|
||||
importIssues: importIssues || [],
|
||||
arrQueueId: queueRecord.id,
|
||||
arrType
|
||||
};
|
||||
|
||||
// Check if user can blocklist this download
|
||||
if (!canBlocklist(download, user.isAdmin)) {
|
||||
if (!canBlocklist(downloadForCheck, user.isAdmin)) {
|
||||
console.log('[Blocklist] Permission denied:', { user: user.name, isAdmin: user.isAdmin, arrQueueId, arrType });
|
||||
return res.status(403).json({ error: 'Permission denied: admin or qualifying conditions required' });
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user