From 967d5deeb79405ce7122c6124dac019b278ca70b Mon Sep 17 00:00:00 2001
From: Felix Ruhnow <fruhnow@outlook.com>
Date: Mon, 18 Feb 2019 18:29:58 +0100
Subject: checking user-permission in GetQueryResult to prevent accessing the
 library without permission but having a link. (+added myself as contributor.
 forgot last time bout that)

---
 MediaBrowser.Api/UserLibrary/ItemsService.cs | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'MediaBrowser.Api/UserLibrary/ItemsService.cs')

diff --git a/MediaBrowser.Api/UserLibrary/ItemsService.cs b/MediaBrowser.Api/UserLibrary/ItemsService.cs
index 3ae7da007..895c88dc8 100644
--- a/MediaBrowser.Api/UserLibrary/ItemsService.cs
+++ b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@@ -12,6 +12,7 @@ using MediaBrowser.Model.Entities;
 using MediaBrowser.Model.Globalization;
 using MediaBrowser.Model.Querying;
 using MediaBrowser.Model.Services;
+using Microsoft.Extensions.Logging;
 
 namespace MediaBrowser.Api.UserLibrary
 {
@@ -227,6 +228,16 @@ namespace MediaBrowser.Api.UserLibrary
                 request.IncludeItemTypes = "Playlist";
             }
 
+            if (!user.Policy.EnabledFolders.Where(i => new Guid(i).Equals(item.Id)).Any() && !user.Policy.EnableAllFolders)
+            {
+                Logger.LogWarning($"{user.Name} is not permitted to access Library {item.Name}.");
+                return new QueryResult<BaseItem>
+                {
+                    Items = new BaseItem[0],
+                    TotalRecordCount = 0
+                };
+            }
+
             if (request.Recursive || !string.IsNullOrEmpty(request.Ids) || user == null)
             {
                 return folder.GetItems(GetItemsQuery(request, dtoOptions, user));
-- 
cgit v1.2.3


From 1d631540ace68a8079aba7f5a4d790397bcd3317 Mon Sep 17 00:00:00 2001
From: Felix Ruhnow <felix.ruhnow@gmail.com>
Date: Tue, 19 Feb 2019 12:06:50 +0100
Subject: adressing pr comments

---
 MediaBrowser.Api/UserLibrary/ItemsService.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'MediaBrowser.Api/UserLibrary/ItemsService.cs')

diff --git a/MediaBrowser.Api/UserLibrary/ItemsService.cs b/MediaBrowser.Api/UserLibrary/ItemsService.cs
index 895c88dc8..aae86e416 100644
--- a/MediaBrowser.Api/UserLibrary/ItemsService.cs
+++ b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@@ -228,12 +228,12 @@ namespace MediaBrowser.Api.UserLibrary
                 request.IncludeItemTypes = "Playlist";
             }
 
-            if (!user.Policy.EnabledFolders.Where(i => new Guid(i).Equals(item.Id)).Any() && !user.Policy.EnableAllFolders)
+            if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i).Equals(item.Id)))
             {
                 Logger.LogWarning($"{user.Name} is not permitted to access Library {item.Name}.");
                 return new QueryResult<BaseItem>
                 {
-                    Items = new BaseItem[0],
+                    Items = Array.Empty<BaseItem>(),
                     TotalRecordCount = 0
                 };
             }
-- 
cgit v1.2.3


From ba003e06efd55bc599cbd8c29be6a41b21e3c35e Mon Sep 17 00:00:00 2001
From: Felix Ruhnow <felix.ruhnow@gmail.com>
Date: Tue, 19 Feb 2019 12:09:39 +0100
Subject: adressing pr comments

---
 MediaBrowser.Api/UserLibrary/ItemsService.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'MediaBrowser.Api/UserLibrary/ItemsService.cs')

diff --git a/MediaBrowser.Api/UserLibrary/ItemsService.cs b/MediaBrowser.Api/UserLibrary/ItemsService.cs
index aae86e416..dfd523fde 100644
--- a/MediaBrowser.Api/UserLibrary/ItemsService.cs
+++ b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@@ -228,7 +228,7 @@ namespace MediaBrowser.Api.UserLibrary
                 request.IncludeItemTypes = "Playlist";
             }
 
-            if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i).Equals(item.Id)))
+            if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i) == item.Id))
             {
                 Logger.LogWarning($"{user.Name} is not permitted to access Library {item.Name}.");
                 return new QueryResult<BaseItem>
-- 
cgit v1.2.3


From 53beebc77415d9020bedb385483851e7bb96a929 Mon Sep 17 00:00:00 2001
From: Felix Ruhnow <felix.ruhnow@gmail.com>
Date: Tue, 19 Feb 2019 12:17:28 +0100
Subject: switching logging to serilog convention according to pr comments

---
 MediaBrowser.Api/UserLibrary/ItemsService.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'MediaBrowser.Api/UserLibrary/ItemsService.cs')

diff --git a/MediaBrowser.Api/UserLibrary/ItemsService.cs b/MediaBrowser.Api/UserLibrary/ItemsService.cs
index dfd523fde..ba4e8022c 100644
--- a/MediaBrowser.Api/UserLibrary/ItemsService.cs
+++ b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@@ -230,7 +230,7 @@ namespace MediaBrowser.Api.UserLibrary
 
             if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i) == item.Id))
             {
-                Logger.LogWarning($"{user.Name} is not permitted to access Library {item.Name}.");
+                Logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Name, item.Name);
                 return new QueryResult<BaseItem>
                 {
                     Items = Array.Empty<BaseItem>(),
-- 
cgit v1.2.3