Merge pull request #930 from fruhnow/AuthorizationCheck

checking user-permission in GetQueryResult

2 files changed, 12 insertions, 0 deletions

diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
index 28690f36f..39149910c 100644
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@@ -19,6 +19,7 @@
  - [LogicalPhallacy](https://github.com/LogicalPhallacy/)
  - [RazeLighter777](https://github.com/RazeLighter777)
  - [WillWill56](https://github.com/WillWill56)
+ - [fruhnow](https://github.com/fruhnow)
 
 # Emby Contributors
 
diff --git a/MediaBrowser.Api/UserLibrary/ItemsService.cs b/MediaBrowser.Api/UserLibrary/ItemsService.cs
index 96b0aa003..84475467f 100644
--- a/MediaBrowser.Api/UserLibrary/ItemsService.cs
+++ b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@@ -12,6 +12,7 @@ using MediaBrowser.Model.Entities;
 using MediaBrowser.Model.Globalization;
 using MediaBrowser.Model.Querying;
 using MediaBrowser.Model.Services;
+using Microsoft.Extensions.Logging;
 
 namespace MediaBrowser.Api.UserLibrary
 {
@@ -224,6 +225,16 @@ namespace MediaBrowser.Api.UserLibrary
                 request.IncludeItemTypes = "Playlist";
             }
 
+            if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i) == item.Id))
+            {
+                Logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Name, item.Name);
+                return new QueryResult<BaseItem>
+                {
+                    Items = Array.Empty<BaseItem>(),
+                    TotalRecordCount = 0
+                };
+            }
+
             if (request.Recursive || !string.IsNullOrEmpty(request.Ids) || user == null)
             {
                 return folder.GetItems(GetItemsQuery(request, dtoOptions, user));