fix control give for users.

server/internal/api/room/handler.go

@@ -95,7 +95,7 @@ func (h *RoomHandler) Route(r types.Router) {
 		r.Post("/release", h.controlRelease)
 
 		r.With(auth.AdminsOnly).Post("/take", h.controlTake)
-		r.With(auth.AdminsOnly).Post("/give/{sessionId}", h.controlGive)
+		r.With(auth.HostsOrAdminsOnly).Post("/give/{sessionId}", h.controlGive)
 		r.With(auth.AdminsOnly).Post("/reset", h.controlReset)
 	})
 

server/internal/http/legacy/wstobackend.go

@@ -100,7 +100,6 @@ func (s *session) wsToBackend(msg []byte, sendMsg func([]byte) error) error {
 			return err
 		}
 
-		// TODO: Not implemented for user - only for admins.
 		return s.apiReq(http.MethodPost, "/api/room/control/give/"+request.ID, nil, nil)
 
 	case oldEvent.CONTROL_CLIPBOARD:

server/pkg/auth/auth.go

@@ -40,6 +40,15 @@ func HostsOnly(w http.ResponseWriter, r *http.Request) (context.Context, error)
 	return nil, nil
 }
 
+func HostsOrAdminsOnly(w http.ResponseWriter, r *http.Request) (context.Context, error) {
+	session, ok := GetSession(r)
+	if !ok || (!session.IsHost() && !session.Profile().IsAdmin) {
+		return nil, utils.HttpForbidden("session is not host or admin")
+	}
+
+	return nil, nil
+}
+
 func CanWatchOnly(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	session, ok := GetSession(r)
 	if !ok || !session.Profile().CanWatch {