From 78630d427d8782876296a3b3ed64bed897e7a41a Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Tue, 27 Oct 2020 20:22:05 -0400
Subject: [PATCH] Limit startScan to admins only

---
 server/subsonic/library_scanning.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/server/subsonic/library_scanning.go b/server/subsonic/library_scanning.go
index ce78ef29e..6f404985e 100644
--- a/server/subsonic/library_scanning.go
+++ b/server/subsonic/library_scanning.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/deluan/navidrome/conf"
 	"github.com/deluan/navidrome/log"
+	"github.com/deluan/navidrome/model/request"
 	"github.com/deluan/navidrome/scanner"
 	"github.com/deluan/navidrome/server/subsonic/responses"
 	"github.com/deluan/navidrome/utils"
@@ -37,6 +38,15 @@ func (c *LibraryScanningController) GetScanStatus(w http.ResponseWriter, r *http
 }
 
 func (c *LibraryScanningController) StartScan(w http.ResponseWriter, r *http.Request) (*responses.Subsonic, error) {
+	loggedUser, ok := request.UserFrom(r.Context())
+	if !ok {
+		return nil, newError(responses.ErrorGeneric, "Internal error")
+	}
+
+	if !loggedUser.IsAdmin {
+		return nil, newError(responses.ErrorAuthorizationFail)
+	}
+
 	fullScan := utils.ParamBool(r, "fullScan", false)
 	c.scanner.RescanAll(fullScan)