jellyseerr
jellyseerr copied to clipboard
Fallenbagel
series request limit can be bypassed by users
Description
If you have a "Series Request Limit" set for a user, for example
4 Seasons per 7 days
The user is able to bypass the season limit when you have the "Auto Approve" setting disabled.
While it's in the "Pending State" awaiting admin approval, the user can go back in and edit the request and select more seasons than they are allowed.
Version
1.7.0
Steps to Reproduce
- Create a test user
- Assign a limit to this user for seasons. For example, allow 4 season requests per 7 days. Note: Assign a limit to the user using the Override Global Limit option, don't assign a limit to the user just using the global limit. (General > Users > Select User > General Tab > Series Request Limit > Override Global Limit)
- Disable "Auto Approve" for this user, so that it requires admin approval.
- On the test user, request a show that has more than 4 seasons, but select all that you're allotted to (4 seasons), Then submit
- Once submitted, head to the requests tab, edit your request, then select the remaining seasons and click save.
Screenshots
Logs
No response
Platform
desktop
Device
Any
Operating System
Unraid
Browser
Any
Additional Context
No response
Code of Conduct
- [X] I agree to follow Jellyseerr's Code of Conduct
I am unable to recreate this issue on develop. When I try to edit the request, it expectedly still enforces the limit. Am I missing something?
I just updated to the latest develop and still see the issue, I don't have the "No season requests remaining" prompt when I edit a request, I am not sure how you have that
Are you overriding the global limit for your user? (Step 2 in the replication steps). I will update this in case there was confusion
I am unable to recreate this issue on develop. When I try to edit the request, it expectedly still enforces the limit. Am I missing something?
I've found the root setting that's causing this issue, you have to have "Advanced Requests" enabled for the user as well. When I unchecked this permission from my test user, I see the series limit just as you would expect, per your screenshot. Once I check that option, I can bypass my series limit by editing the request.
Thank you for sharing that, it really helped
The issue seems to be originating from here. The value of quota is initially correct, but it immediately changes to null because of the requestOverrides?.user?.id condition becoming true
https://github.com/Fallenbagel/jellyseerr/blob/db84f6529ab285be26c96daaab065dfabf347417/src/components/RequestModal/TvRequestModal.tsx#L90-L95
Removing that entire condition worked for me, but I wanted to ask, is it there for a reason? Should we not be enforcing quota on every user regardless of these conditions?
Removing that entire condition worked for me, but I wanted to ask, is it there for a reason? Should we not be enforcing quota on every user regardless of these conditions?
Good question. I'll ask overseerr about this. I feel like advanced request is still not a user level that should get the quotas to be null
Removing that entire condition worked for me, but I wanted to ask, is it there for a reason? Should we not be enforcing quota on every user regardless of these conditions?
Good question. I'll ask overseerr about this. I feel like advanced request is still not a user level that should get the quotas to be null
Did they ever get back to you on this?
Removing that entire condition worked for me, but I wanted to ask, is it there for a reason? Should we not be enforcing quota on every user regardless of these conditions?
Good question. I'll ask overseerr about this. I feel like advanced request is still not a user level that should get the quotas to be null
Did they ever get back to you on this?
Yes. Not intended behavior. I have a fix, I'll be opening a pr on overseerr