Merge pull request #8753 from thornbill/fix-items-access-backport

2025-04-24 05:57:20 -04:00 · 2022-11-22 21:52:53 +01:00 · 2022-11-22 21:52:53 +01:00 · 6fc8237242
commit 6fc8237242
parent ec81dc9be2 79d7a4d4df
2 changed files with 6 additions and 23 deletions
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@ -270,30 +270,13 @@ namespace Jellyfin.Api.Controllers
                includeItemTypes = new[] { BaseItemKind.Playlist };
            }

-            var enabledChannels = user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
-
-            bool isInEnabledFolder = Array.IndexOf(user.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
-                                     // Assume all folders inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.Id) != -1
-                                     // Assume all items inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.ChannelId) != -1;
-
-            var collectionFolders = _libraryManager.GetCollectionFolders(item);
-            foreach (var collectionFolder in collectionFolders)
-            {
-                if (user.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
-                {
-                    isInEnabledFolder = true;
-                }
-            }
-
            if (item is not UserRootFolder
-                && !isInEnabledFolder
-                && !user.HasPermission(PermissionKind.EnableAllFolders)
-                && !user.HasPermission(PermissionKind.EnableAllChannels)
-                && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
+                // api keys can always access all folders
+                && !ClaimHelpers.GetIsApiKey(User)
+                // check the item is visible for the user
+                && !item.IsVisible(user))
            {
-                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Username, item.Name);
+                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
                return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
            }

--- a/Jellyfin.Api/Controllers/LibraryController.cs
+++ b/Jellyfin.Api/Controllers/LibraryController.cs
@ -492,7 +492,7 @@ namespace Jellyfin.Api.Controllers
        /// <response code="200">Media folders returned.</response>
        /// <returns>List of user media folders.</returns>
        [HttpGet("Library/MediaFolders")]
-        [Authorize(Policy = Policies.DefaultAuthorization)]
+        [Authorize(Policy = Policies.RequiresElevation)]
        [ProducesResponseType(StatusCodes.Status200OK)]
        public ActionResult<QueryResult<BaseItemDto>> GetMediaFolders([FromQuery] bool? isHidden)
        {