Inicio Explorar Axuda
Iniciar sesión
mirrors
/
jellyfin
réplica de https://github.com/jellyfin/jellyfin
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Fix items endpoint not honoring library access control

Bill Thornton %!s(int64=2) %!d(string=hai) anos
pai
af84bc373c
achega
fb9023f2d8
Modificáronse 1 ficheiros con 5 adicións e 31 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 5 31
      Jellyfin.Api/Controllers/ItemsController.cs

+ 5 - 31
Jellyfin.Api/Controllers/ItemsController.cs
Ver ficheiro 

@@ -282,39 +282,13 @@ namespace Jellyfin.Api.Controllers
 
                 includeItemTypes = new[] { BaseItemKind.Playlist };
 
             }
 
 
-            var enabledChannels = isApiKey
 
-                ? Array.Empty<Guid>()
 
-                : user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
 
-
 
-            // api keys are always enabled for all folders
 
-            bool isInEnabledFolder = isApiKey
 
-                                     || Array.IndexOf(user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
 
-                                     // Assume all folders inside an EnabledChannel are enabled
 
-                                     || Array.IndexOf(enabledChannels, item.Id) != -1
 
-                                     // Assume all items inside an EnabledChannel are enabled
 
-                                     || Array.IndexOf(enabledChannels, item.ChannelId) != -1;
 
-
 
-            if (!isInEnabledFolder)
 
-            {
 
-                var collectionFolders = _libraryManager.GetCollectionFolders(item);
 
-                foreach (var collectionFolder in collectionFolders)
 
-                {
 
-                    // api keys never enter this block, so user is never null
 
-                    if (user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
 
-                    {
 
-                        isInEnabledFolder = true;
 
-                    }
 
-                }
 
-            }
 
-
 
-            // api keys are always enabled for all folders, so user is never null
 
             if (item is not UserRootFolder
 
-                && !isInEnabledFolder
 
-                && !user!.HasPermission(PermissionKind.EnableAllFolders)
 
-                && !user.HasPermission(PermissionKind.EnableAllChannels)
 
-                && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
 
+                // api keys can always access all folders
 
+                && !isApiKey
 
+                // check the item is visible for the user
 
+                && !item.IsVisible(user))
 
             {
 
-                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user.Username, item.Name);
 
+                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
 
                 return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
 
             }