checking user-permission in GetQueryResult to prevent accessing the library without permission but having a link. (+added myself as contributor. forgot last time bout that)

2019-02-18 18:29:58 +01:00 · 2019-02-18 18:29:58 +01:00 · 967d5deeb7
commit 967d5deeb7
parent 395072239d
2 changed files with 12 additions and 0 deletions
--- a/CONTRIBUTORS.md
+++ b/CONTRIBUTORS.md
@ -19,6 +19,7 @@
 - [LogicalPhallacy](https://github.com/LogicalPhallacy/)
 - [RazeLighter777](https://github.com/RazeLighter777)
 - [WillWill56](https://github.com/WillWill56)
+ - [fruhnow](https://github.com/fruhnow)

 # Emby Contributors

--- a/MediaBrowser.Api/UserLibrary/ItemsService.cs
+++ b/MediaBrowser.Api/UserLibrary/ItemsService.cs
@ -12,6 +12,7 @@ using MediaBrowser.Model.Entities;
 using MediaBrowser.Model.Globalization;
 using MediaBrowser.Model.Querying;
 using MediaBrowser.Model.Services;
+using Microsoft.Extensions.Logging;

 namespace MediaBrowser.Api.UserLibrary
 {
@ -227,6 +228,16 @@ namespace MediaBrowser.Api.UserLibrary
                request.IncludeItemTypes = "Playlist";
            }

+            if (!user.Policy.EnabledFolders.Where(i => new Guid(i).Equals(item.Id)).Any() && !user.Policy.EnableAllFolders)
+            {
+                Logger.LogWarning($"{user.Name} is not permitted to access Library {item.Name}.");
+                return new QueryResult<BaseItem>
+                {
+                    Items = new BaseItem[0],
+                    TotalRecordCount = 0
+                };
+            }
+
            if (request.Recursive || !string.IsNullOrEmpty(request.Ids) || user == null)
            {
                return folder.GetItems(GetItemsQuery(request, dtoOptions, user));