Fix items endpoint not honoring library access control

author: Bill Thornton <billt2006@gmail.com> 2022-11-09 18:02:49 -0500
committer: Bill Thornton <billt2006@gmail.com> 2022-11-09 18:02:49 -0500
commit: fb9023f2d83c9e0947c63d4a0c27b35d6c711d9c (patch)
tree: 5a02d8fd24fec4ab9d86ee7aba0f0c7f1644dce8 /Jellyfin.Api/Controllers
parent: af84bc373cf86ea64a31320c695b6f8069c47ef3 (diff)
1 files changed, 5 insertions, 31 deletions
diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 80ae5abcb..33b67b389 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -282,39 +282,13 @@ namespace Jellyfin.Api.Controllers
                 includeItemTypes = new[] { BaseItemKind.Playlist };
             }
 
-            var enabledChannels = isApiKey
-                ? Array.Empty<Guid>()
-                : user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
-
-            // api keys are always enabled for all folders
-            bool isInEnabledFolder = isApiKey
-                                     || Array.IndexOf(user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
-                                     // Assume all folders inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.Id) != -1
-                                     // Assume all items inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.ChannelId) != -1;
-
-            if (!isInEnabledFolder)
-            {
-                var collectionFolders = _libraryManager.GetCollectionFolders(item);
-                foreach (var collectionFolder in collectionFolders)
-                {
-                    // api keys never enter this block, so user is never null
-                    if (user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
-                    {
-                        isInEnabledFolder = true;
-                    }
-                }
-            }
-
-            // api keys are always enabled for all folders, so user is never null
             if (item is not UserRootFolder
-                && !isInEnabledFolder
-                && !user!.HasPermission(PermissionKind.EnableAllFolders)
-                && !user.HasPermission(PermissionKind.EnableAllChannels)
-                && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
+                // api keys can always access all folders
+                && !isApiKey
+                // check the item is visible for the user
+                && !item.IsVisible(user))
             {
-                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user.Username, item.Name);
+                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
                 return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
             }
author	Bill Thornton <billt2006@gmail.com>	2022-11-09 18:02:49 -0500
committer	Bill Thornton <billt2006@gmail.com>	2022-11-09 18:02:49 -0500
commit	fb9023f2d83c9e0947c63d4a0c27b35d6c711d9c (patch)
tree	5a02d8fd24fec4ab9d86ee7aba0f0c7f1644dce8 /Jellyfin.Api/Controllers
parent	af84bc373cf86ea64a31320c695b6f8069c47ef3 (diff)