BUG: Overly restrictive admin check in /api/dashboard/blocklist-search blocks non-admin users from using the blocklist feature #34
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
The authorization checks inside
server/routes/dashboard.jsfor the/blocklist-searchendpoint are overly restrictive. WhileDownloadAssembler.canBlocklistcalculates if a specific download can be blocklisted by a regular user (e.g., when it has import issues or if it is a torrent over 1 hour old with <100% availability), the route handlerPOST /api/dashboard/blocklist-searchunconditionally rejects any non-admin request with a403 Forbiddenstatus.Root Cause
In
server/routes/dashboard.js(lines 675-678), the router includes an explicit admin-only gate:This check completely overrides the granular permissions evaluated by
DownloadAssembler.canBlocklist(download, isAdmin), which are used byDownloadMatcher.jsto expose the "Blocklist + Re-search" button to non-admin users.Impact
When a non-admin user has a download that qualifies for blocklisting (e.g., it has an import issue), they are correctly shown the "Blocklist + Re-search" button in their dashboard interface. However, clicking the button triggers a request to
POST /api/dashboard/blocklist-search, which immediately fails with a403 Forbiddenerror. This creates a severe mismatch between UI capability states and backend enforcement, resulting in a broken user experience.Steps to Reproduce
DownloadAssembler.canBlocklistevaluates to true)./api/dashboard/blocklist-searchfails with a403 Forbidden: Admin access requiredstatus code.Proposed Fix
Modify
POST /api/dashboard/blocklist-searchto dynamically authorize non-admin users:DownloadAssembler.canBlocklist(download, false)to verify if they are authorized to blocklist it.403 Forbiddenerror.Fixed the overly restrictive admin check in the blocklist-search endpoint. Non-admin users can now use the blocklist feature when they meet qualifying conditions (import issues or stale low-availability torrents). Changes:
All integration tests pass.