1 files changed, 12 insertions, 5 deletions

diff --git a/server/src/routes/userdata.rs b/server/src/routes/userdata.rs
index 8803bde..c113bb6 100644
--- a/server/src/routes/userdata.rs
+++ b/server/src/routes/userdata.rs
@@ -6,7 +6,10 @@
 use super::ui::{account::session::Session, error::MyResult, node::DatabaseNodeUserDataExt};
 use crate::routes::ui::node::rocket_uri_macro_r_library_node;
 use anyhow::anyhow;
-use jellybase::database::{DataAcid, ReadableTable, Ser, TableExt, T_NODE, T_USER_NODE};
+use jellybase::{
+    database::{DataAcid, ReadableTable, Ser, TableExt, T_NODE, T_USER_NODE},
+    permission::NodePermissionExt,
+};
 use jellycommon::user::{NodeUserData, WatchedState};
 use rocket::{
     get, post, response::Redirect, serde::json::Json, FromFormField, State, UriDisplayQuery,
@@ -36,9 +39,10 @@ pub async fn r_player_watched(
     id: &str,
     state: UrlWatchedState,
 ) -> MyResult<Redirect> {
-    T_NODE.get(db, id)?.ok_or(anyhow!("node does not exist"))?;
-
-    // let key = (session.user.name.clone(), id.to_owned());
+    T_NODE
+        .get(db, id)?
+        .only_if_permitted(&session.user.permissions)
+        .ok_or(anyhow!("node does not exist"))?;
 
     let txn = db.begin_write()?;
     let mut user_nodes = txn.open_table(T_USER_NODE)?;
@@ -68,7 +72,10 @@ pub async fn r_player_progress(
     id: &str,
     t: f64,
 ) -> MyResult<()> {
-    T_NODE.get(db, id)?.ok_or(anyhow!("node does not exist"))?;
+    T_NODE
+        .get(db, id)?
+        .only_if_permitted(&session.user.permissions)
+        .ok_or(anyhow!("node does not exist"))?;
 
     let txn = db.begin_write()?;
     let mut user_nodes = txn.open_table(T_USER_NODE)?;