Merge pull request #8753 from thornbill/fix-items-access-backport

pull/9016/head
Bond-009 2 years ago committed by GitHub
commit 6fc8237242
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -270,30 +270,13 @@ namespace Jellyfin.Api.Controllers
includeItemTypes = new[] { BaseItemKind.Playlist }; includeItemTypes = new[] { BaseItemKind.Playlist };
} }
var enabledChannels = user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
bool isInEnabledFolder = Array.IndexOf(user.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
// Assume all folders inside an EnabledChannel are enabled
|| Array.IndexOf(enabledChannels, item.Id) != -1
// Assume all items inside an EnabledChannel are enabled
|| Array.IndexOf(enabledChannels, item.ChannelId) != -1;
var collectionFolders = _libraryManager.GetCollectionFolders(item);
foreach (var collectionFolder in collectionFolders)
{
if (user.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
{
isInEnabledFolder = true;
}
}
if (item is not UserRootFolder if (item is not UserRootFolder
&& !isInEnabledFolder // api keys can always access all folders
&& !user.HasPermission(PermissionKind.EnableAllFolders) && !ClaimHelpers.GetIsApiKey(User)
&& !user.HasPermission(PermissionKind.EnableAllChannels) // check the item is visible for the user
&& !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase)) && !item.IsVisible(user))
{ {
_logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Username, item.Name); _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}."); return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
} }

@ -492,7 +492,7 @@ namespace Jellyfin.Api.Controllers
/// <response code="200">Media folders returned.</response> /// <response code="200">Media folders returned.</response>
/// <returns>List of user media folders.</returns> /// <returns>List of user media folders.</returns>
[HttpGet("Library/MediaFolders")] [HttpGet("Library/MediaFolders")]
[Authorize(Policy = Policies.DefaultAuthorization)] [Authorize(Policy = Policies.RequiresElevation)]
[ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status200OK)]
public ActionResult<QueryResult<BaseItemDto>> GetMediaFolders([FromQuery] bool? isHidden) public ActionResult<QueryResult<BaseItemDto>> GetMediaFolders([FromQuery] bool? isHidden)
{ {

Loading…
Cancel
Save