Fix permission checks

author: Shadowghost <Ghost_of_Stone@web.de> 2024-09-18 16:10:13 +0200
committer: Shadowghost <Ghost_of_Stone@web.de> 2024-09-18 16:10:13 +0200
commit: ffa1c370fd4b92df15609cd3706b8ebcff930e0d (patch)
tree: e4c41b9cd7c5f521640d1b603d5fce90c41ee045
parent: 0a982e2bfdd6f72dbe9c0bcb09db9890a314a7af (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/Emby.Server.Implementations/Session/SessionManager.cs b/Emby.Server.Implementations/Session/SessionManager.cs
index 6bcbe3ceb..55e485669 100644
--- a/Emby.Server.Implementations/Session/SessionManager.cs
+++ b/Emby.Server.Implementations/Session/SessionManager.cs
@@ -1886,7 +1886,7 @@ namespace Emby.Server.Implementations.Session
                 if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
                 {
                     // User cannot control other user's sessions, validate user id.
-                    result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(controllableUserToCheck.Value));
+                    result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(user.Id));
                 }
 
                 result = result.Where(i =>
@@ -1903,7 +1903,10 @@ namespace Emby.Server.Implementations.Session
             {
                 // Request isn't from administrator, limit to "own" sessions.
                 result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
+            }
 
+            if (!user.HasPermission(PermissionKind.IsAdministrator))
+            {
                 // Don't report acceleration type for non-admin users.
                 result = result.Select(r =>
                 {
author	Shadowghost <Ghost_of_Stone@web.de>	2024-09-18 16:10:13 +0200
committer	Shadowghost <Ghost_of_Stone@web.de>	2024-09-18 16:10:13 +0200
commit	ffa1c370fd4b92df15609cd3706b8ebcff930e0d (patch)
tree	e4c41b9cd7c5f521640d1b603d5fce90c41ee045
parent	0a982e2bfdd6f72dbe9c0bcb09db9890a314a7af (diff)