Limit sessions per user (#11370)

1 files changed, 7 insertions, 1 deletions

diff --git a/Jellyfin.Api/Controllers/SessionController.cs b/Jellyfin.Api/Controllers/SessionController.cs
index 52b58b8f1..60de66ab0 100644
--- a/Jellyfin.Api/Controllers/SessionController.cs
+++ b/Jellyfin.Api/Controllers/SessionController.cs
@@ -84,7 +84,8 @@ public class SessionController : BaseJellyfinApiController
 
             if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
             {
-                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(controllableByUserId.Value));
+                // User cannot control other user's sessions, validate user id.
+                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(RequestHelpers.GetUserId(User, controllableByUserId)));
             }
 
             if (!user.HasPermission(PermissionKind.EnableSharedDeviceControl))
@@ -105,6 +106,11 @@ public class SessionController : BaseJellyfinApiController
                 return true;
             });
         }
+        else if (!User.IsInRole(UserRoles.Administrator))
+        {
+            // Request isn't from administrator, limit to "own" sessions.
+            result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(User.GetUserId()));
+        }
 
         if (activeWithinSeconds.HasValue && activeWithinSeconds.Value > 0)
         {