diff options
Diffstat (limited to 'Jellyfin.Api/Controllers/SessionController.cs')
| -rw-r--r-- | Jellyfin.Api/Controllers/SessionController.cs | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/Jellyfin.Api/Controllers/SessionController.cs b/Jellyfin.Api/Controllers/SessionController.cs index 52b58b8f1..60de66ab0 100644 --- a/Jellyfin.Api/Controllers/SessionController.cs +++ b/Jellyfin.Api/Controllers/SessionController.cs @@ -84,7 +84,8 @@ public class SessionController : BaseJellyfinApiController if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers)) { - result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(controllableByUserId.Value)); + // User cannot control other user's sessions, validate user id. + result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(RequestHelpers.GetUserId(User, controllableByUserId))); } if (!user.HasPermission(PermissionKind.EnableSharedDeviceControl)) @@ -105,6 +106,11 @@ public class SessionController : BaseJellyfinApiController return true; }); } + else if (!User.IsInRole(UserRoles.Administrator)) + { + // Request isn't from administrator, limit to "own" sessions. + result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(User.GetUserId())); + } if (activeWithinSeconds.HasValue && activeWithinSeconds.Value > 0) { |