From 27fae3dd040b7e0a23f79e74bc1ee4c99595e5b8 Mon Sep 17 00:00:00 2001
From: Cody Robibero <cody@robibe.ro>
Date: Sun, 21 Apr 2024 10:54:49 -0600
Subject: Limit sessions per user (#11370)

---
 Jellyfin.Api/Controllers/SessionController.cs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'Jellyfin.Api/Controllers/SessionController.cs')

diff --git a/Jellyfin.Api/Controllers/SessionController.cs b/Jellyfin.Api/Controllers/SessionController.cs
index 52b58b8f1..60de66ab0 100644
--- a/Jellyfin.Api/Controllers/SessionController.cs
+++ b/Jellyfin.Api/Controllers/SessionController.cs
@@ -84,7 +84,8 @@ public class SessionController : BaseJellyfinApiController
 
             if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
             {
-                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(controllableByUserId.Value));
+                // User cannot control other user's sessions, validate user id.
+                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(RequestHelpers.GetUserId(User, controllableByUserId)));
             }
 
             if (!user.HasPermission(PermissionKind.EnableSharedDeviceControl))
@@ -105,6 +106,11 @@ public class SessionController : BaseJellyfinApiController
                 return true;
             });
         }
+        else if (!User.IsInRole(UserRoles.Administrator))
+        {
+            // Request isn't from administrator, limit to "own" sessions.
+            result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(User.GetUserId()));
+        }
 
         if (activeWithinSeconds.HasValue && activeWithinSeconds.Value > 0)
         {
-- 
cgit v1.2.3