From 6c8b40f413bf634705dcfe6df2d7d5f8efc46c43 Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Wed, 9 Nov 2022 18:02:49 -0500
Subject: [PATCH] Fix items endpoint not honoring library access control

---
 Jellyfin.Api/Controllers/ItemsController.cs | 27 ++++-----------------
 1 file changed, 5 insertions(+), 22 deletions(-)

diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 58caae9f85..e5ef6b23e9 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -270,30 +270,13 @@ namespace Jellyfin.Api.Controllers
                 includeItemTypes = new[] { BaseItemKind.Playlist };
             }
 
-            var enabledChannels = user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
-
-            bool isInEnabledFolder = Array.IndexOf(user.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
-                                     // Assume all folders inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.Id) != -1
-                                     // Assume all items inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.ChannelId) != -1;
-
-            var collectionFolders = _libraryManager.GetCollectionFolders(item);
-            foreach (var collectionFolder in collectionFolders)
-            {
-                if (user.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
-                {
-                    isInEnabledFolder = true;
-                }
-            }
-
             if (item is not UserRootFolder
-                && !isInEnabledFolder
-                && !user.HasPermission(PermissionKind.EnableAllFolders)
-                && !user.HasPermission(PermissionKind.EnableAllChannels)
-                && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
+                // api keys can always access all folders
+                && !ClaimHelpers.GetIsApiKey(User)
+                // check the item is visible for the user
+                && !item.IsVisible(user))
             {
-                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Username, item.Name);
+                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
                 return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
             }