Merge pull request #930 from fruhnow/AuthorizationCheck

checking user-permission in GetQueryResult
This commit is contained in:
Vasily 2019-02-20 14:42:35 +03:00 committed by GitHub
commit 60df855b26
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 0 deletions

View File

@ -19,6 +19,7 @@
- [LogicalPhallacy](https://github.com/LogicalPhallacy/) - [LogicalPhallacy](https://github.com/LogicalPhallacy/)
- [RazeLighter777](https://github.com/RazeLighter777) - [RazeLighter777](https://github.com/RazeLighter777)
- [WillWill56](https://github.com/WillWill56) - [WillWill56](https://github.com/WillWill56)
- [fruhnow](https://github.com/fruhnow)
# Emby Contributors # Emby Contributors

View File

@ -12,6 +12,7 @@ using MediaBrowser.Model.Entities;
using MediaBrowser.Model.Globalization; using MediaBrowser.Model.Globalization;
using MediaBrowser.Model.Querying; using MediaBrowser.Model.Querying;
using MediaBrowser.Model.Services; using MediaBrowser.Model.Services;
using Microsoft.Extensions.Logging;
namespace MediaBrowser.Api.UserLibrary namespace MediaBrowser.Api.UserLibrary
{ {
@ -224,6 +225,16 @@ namespace MediaBrowser.Api.UserLibrary
request.IncludeItemTypes = "Playlist"; request.IncludeItemTypes = "Playlist";
} }
if (!user.Policy.EnableAllFolders && !user.Policy.EnabledFolders.Any(i => new Guid(i) == item.Id))
{
Logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Name, item.Name);
return new QueryResult<BaseItem>
{
Items = Array.Empty<BaseItem>(),
TotalRecordCount = 0
};
}
if (request.Recursive || !string.IsNullOrEmpty(request.Ids) || user == null) if (request.Recursive || !string.IsNullOrEmpty(request.Ids) || user == null)
{ {
return folder.GetItems(GetItemsQuery(request, dtoOptions, user)); return folder.GetItems(GetItemsQuery(request, dtoOptions, user));