Merge pull request jellyfin#930 from fruhnow/AuthorizationCheck

checking user-permission in GetQueryResult
changyou68 · Feb 20, 2019 · 60df855 · 60df855
2 parents 44ed037 + 53beebc
commit 60df855
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md
@@ -19,6 +19,7 @@
  - [LogicalPhallacy](https://github.com/LogicalPhallacy/)
  - [RazeLighter777](https://github.com/RazeLighter777)
  - [WillWill56](https://github.com/WillWill56)
+ - [fruhnow](https://github.com/fruhnow)
 
 # Emby Contributors
 

diff --git a/MediaBrowser.Api/UserLibrary/ItemsService.cs b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@@ -12,6 +12,7 @@
 using MediaBrowser.Model.Globalization;
 using MediaBrowser.Model.Querying;
 using MediaBrowser.Model.Services;
+using Microsoft.Extensions.Logging;
 
 namespace MediaBrowser.Api.UserLibrary
 {
@@ -224,6 +225,16 @@ private QueryResult<BaseItem> GetQueryResult(GetItems request, DtoOptions dtoOpt
                 request.IncludeItemTypes = "Playlist";
             }
 
+            if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i) == item.Id))
+            {
+                Logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Name, item.Name);
+                return new QueryResult<BaseItem>
+                {
+                    Items = Array.Empty<BaseItem>(),
+                    TotalRecordCount = 0
+                };
+            }
+
             if (request.Recursive || !string.IsNullOrEmpty(request.Ids) || user == null)
             {
                 return folder.GetItems(GetItemsQuery(request, dtoOptions, user));