Fix items endpoint not honoring library access control

1 files changed, 5 insertions, 31 deletions

diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 80ae5abcb..33b67b389 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -282,39 +282,13 @@ namespace Jellyfin.Api.Controllers
                 includeItemTypes = new[] { BaseItemKind.Playlist };
             }
 
-            var enabledChannels = isApiKey
-                ? Array.Empty<Guid>()
-                : user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
-
-            // api keys are always enabled for all folders
-            bool isInEnabledFolder = isApiKey
-                                     || Array.IndexOf(user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
-                                     // Assume all folders inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.Id) != -1
-                                     // Assume all items inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.ChannelId) != -1;
-
-            if (!isInEnabledFolder)
-            {
-                var collectionFolders = _libraryManager.GetCollectionFolders(item);
-                foreach (var collectionFolder in collectionFolders)
-                {
-                    // api keys never enter this block, so user is never null
-                    if (user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
-                    {
-                        isInEnabledFolder = true;
-                    }
-                }
-            }
-
-            // api keys are always enabled for all folders, so user is never null
             if (item is not UserRootFolder
-                && !isInEnabledFolder
-                && !user!.HasPermission(PermissionKind.EnableAllFolders)
-                && !user.HasPermission(PermissionKind.EnableAllChannels)
-                && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
+                // api keys can always access all folders
+                && !isApiKey
+                // check the item is visible for the user
+                && !item.IsVisible(user))
             {
-                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user.Username, item.Name);
+                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
                 return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
             }