mirror of https://github.com/jellyfin/jellyfin.git
Merge pull request #8732 from thornbill/fix-items-access
This commit is contained in:
commit
1b7500c555
|
@ -282,39 +282,13 @@ namespace Jellyfin.Api.Controllers
|
||||||
includeItemTypes = new[] { BaseItemKind.Playlist };
|
includeItemTypes = new[] { BaseItemKind.Playlist };
|
||||||
}
|
}
|
||||||
|
|
||||||
var enabledChannels = isApiKey
|
|
||||||
? Array.Empty<Guid>()
|
|
||||||
: user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
|
|
||||||
|
|
||||||
// api keys are always enabled for all folders
|
|
||||||
bool isInEnabledFolder = isApiKey
|
|
||||||
|| Array.IndexOf(user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
|
|
||||||
// Assume all folders inside an EnabledChannel are enabled
|
|
||||||
|| Array.IndexOf(enabledChannels, item.Id) != -1
|
|
||||||
// Assume all items inside an EnabledChannel are enabled
|
|
||||||
|| Array.IndexOf(enabledChannels, item.ChannelId) != -1;
|
|
||||||
|
|
||||||
if (!isInEnabledFolder)
|
|
||||||
{
|
|
||||||
var collectionFolders = _libraryManager.GetCollectionFolders(item);
|
|
||||||
foreach (var collectionFolder in collectionFolders)
|
|
||||||
{
|
|
||||||
// api keys never enter this block, so user is never null
|
|
||||||
if (user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
|
|
||||||
{
|
|
||||||
isInEnabledFolder = true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// api keys are always enabled for all folders, so user is never null
|
|
||||||
if (item is not UserRootFolder
|
if (item is not UserRootFolder
|
||||||
&& !isInEnabledFolder
|
// api keys can always access all folders
|
||||||
&& !user!.HasPermission(PermissionKind.EnableAllFolders)
|
&& !isApiKey
|
||||||
&& !user.HasPermission(PermissionKind.EnableAllChannels)
|
// check the item is visible for the user
|
||||||
&& !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
|
&& !item.IsVisible(user))
|
||||||
{
|
{
|
||||||
_logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user.Username, item.Name);
|
_logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
|
||||||
return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
|
return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -485,7 +485,7 @@ namespace Jellyfin.Api.Controllers
|
||||||
/// <response code="200">Media folders returned.</response>
|
/// <response code="200">Media folders returned.</response>
|
||||||
/// <returns>List of user media folders.</returns>
|
/// <returns>List of user media folders.</returns>
|
||||||
[HttpGet("Library/MediaFolders")]
|
[HttpGet("Library/MediaFolders")]
|
||||||
[Authorize(Policy = Policies.DefaultAuthorization)]
|
[Authorize(Policy = Policies.RequiresElevation)]
|
||||||
[ProducesResponseType(StatusCodes.Status200OK)]
|
[ProducesResponseType(StatusCodes.Status200OK)]
|
||||||
public ActionResult<QueryResult<BaseItemDto>> GetMediaFolders([FromQuery] bool? isHidden)
|
public ActionResult<QueryResult<BaseItemDto>> GetMediaFolders([FromQuery] bool? isHidden)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in New Issue