From 4f3d562d75f035f65f90afb7f136b4f4c062ec5d Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Wed, 9 Nov 2022 18:31:30 -0500
Subject: [PATCH] Fix media folders endpoint access control

---
 Jellyfin.Api/Controllers/LibraryController.cs | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Jellyfin.Api/Controllers/LibraryController.cs b/Jellyfin.Api/Controllers/LibraryController.cs
index 4cc17dd0fc..9f98a78c2f 100644
--- a/Jellyfin.Api/Controllers/LibraryController.cs
+++ b/Jellyfin.Api/Controllers/LibraryController.cs
@@ -11,6 +11,7 @@ using System.Threading.Tasks;
 using Jellyfin.Api.Attributes;
 using Jellyfin.Api.Constants;
 using Jellyfin.Api.Extensions;
+using Jellyfin.Api.Helpers;
 using Jellyfin.Api.ModelBinders;
 using Jellyfin.Api.Models.LibraryDtos;
 using Jellyfin.Data.Entities;
@@ -498,6 +499,12 @@ namespace Jellyfin.Api.Controllers
         {
             var items = _libraryManager.GetUserRootFolder().Children.Concat(_libraryManager.RootFolder.VirtualChildren).OrderBy(i => i.SortName).ToList();
 
+            if (!ClaimHelpers.GetIsApiKey(User) && !User.IsInRole(UserRoles.Administrator))
+            {
+                var user = _userManager.GetUserById(ClaimHelpers.GetUserId(User)!.Value);
+                items = items.Where(i => i.IsVisible(user)).ToList();
+            }
+
             if (isHidden.HasValue)
             {
                 var val = isHidden.Value;