Limit sessions per user (#11370)

Jellyfin.Api/Controllers/SessionController.cs

@@ -84,7 +84,8 @@ public class SessionController : BaseJellyfinApiController
 
             if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
             {
-                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(controllableByUserId.Value));
+                // User cannot control other user's sessions, validate user id.
+                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(RequestHelpers.GetUserId(User, controllableByUserId)));
             }
 
             if (!user.HasPermission(PermissionKind.EnableSharedDeviceControl))
@@ -105,6 +106,11 @@ public class SessionController : BaseJellyfinApiController
                 return true;
             });
         }
+        else if (!User.IsInRole(UserRoles.Administrator))
+        {
+            // Request isn't from administrator, limit to "own" sessions.
+            result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(User.GetUserId()));
+        }
 
         if (activeWithinSeconds.HasValue && activeWithinSeconds.Value > 0)
         {

tests/Jellyfin.Server.Integration.Tests/Controllers/SessionControllerTests.cs

@@ -21,7 +21,7 @@ public class SessionControllerTests : IClassFixture<JellyfinApplicationFactory>
         var client = _factory.CreateClient();
         client.DefaultRequestHeaders.AddAuthHeader(_accessToken ??= await AuthHelper.CompleteStartupAsync(client));
 
-        using var response = await client.GetAsync($"Session/Sessions?userId={Guid.NewGuid()}");
+        using var response = await client.GetAsync($"Sessions?controllableByUserId={Guid.NewGuid()}");
         Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
     }
 }