aboutsummaryrefslogtreecommitdiff
path: root/src/api/routes/files/albumAddPOST.js
diff options
context:
space:
mode:
Diffstat (limited to 'src/api/routes/files/albumAddPOST.js')
-rw-r--r--src/api/routes/files/albumAddPOST.js8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/api/routes/files/albumAddPOST.js b/src/api/routes/files/albumAddPOST.js
index fc4ee71..af39caa 100644
--- a/src/api/routes/files/albumAddPOST.js
+++ b/src/api/routes/files/albumAddPOST.js
@@ -5,11 +5,17 @@ class albumAddPOST extends Route {
super('/file/album/add', 'post');
}
- async run(req, res, db) {
+ async run(req, res, db, user) {
if (!req.body) return res.status(400).json({ message: 'No body provided' });
const { fileId, albumId } = req.body;
if (!fileId || !albumId) return res.status(400).json({ message: 'No id provided' });
+ // Make sure both file and album belong to the user
+ const file = await db.table('files').where({ id: fileId, userId: user.id }).first();
+ if (!file) return res.status(400).json({ message: 'File doesn\'t exist.' });
+ const album = await db.table('albums').where({ id: albumId, userId: user.id }).first();
+ if (!album) return res.status(400).json({ message: 'Album doesn\'t exist.' });
+
try {
await db.table('albumsFiles')
.insert({ fileId, albumId });
generated by cgit v1.2.3 (git 2.25.1) at 2026-04-25 22:21:44 +0000