aboutsummaryrefslogtreecommitdiff
path: root/Jellyfin.Api/Controllers/SessionController.cs
diff options
context:
space:
mode:
Diffstat (limited to 'Jellyfin.Api/Controllers/SessionController.cs')
-rw-r--r--Jellyfin.Api/Controllers/SessionController.cs8
1 files changed, 7 insertions, 1 deletions
diff --git a/Jellyfin.Api/Controllers/SessionController.cs b/Jellyfin.Api/Controllers/SessionController.cs
index 52b58b8f1..60de66ab0 100644
--- a/Jellyfin.Api/Controllers/SessionController.cs
+++ b/Jellyfin.Api/Controllers/SessionController.cs
@@ -84,7 +84,8 @@ public class SessionController : BaseJellyfinApiController
if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
{
- result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(controllableByUserId.Value));
+ // User cannot control other user's sessions, validate user id.
+ result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(RequestHelpers.GetUserId(User, controllableByUserId)));
}
if (!user.HasPermission(PermissionKind.EnableSharedDeviceControl))
@@ -105,6 +106,11 @@ public class SessionController : BaseJellyfinApiController
return true;
});
}
+ else if (!User.IsInRole(UserRoles.Administrator))
+ {
+ // Request isn't from administrator, limit to "own" sessions.
+ result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(User.GetUserId()));
+ }
if (activeWithinSeconds.HasValue && activeWithinSeconds.Value > 0)
{
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-06 16:59:40 +0000