From fb9023f2d83c9e0947c63d4a0c27b35d6c711d9c Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Wed, 9 Nov 2022 18:02:49 -0500
Subject: [PATCH 1/3] Fix items endpoint not honoring library access control

---
 Jellyfin.Api/Controllers/ItemsController.cs | 36 +++------------------
 1 file changed, 5 insertions(+), 31 deletions(-)

diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 80ae5abcbf..33b67b3898 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -282,39 +282,13 @@ namespace Jellyfin.Api.Controllers
                 includeItemTypes = new[] { BaseItemKind.Playlist };
             }
 
-            var enabledChannels = isApiKey
-                ? Array.Empty<Guid>()
-                : user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
-
-            // api keys are always enabled for all folders
-            bool isInEnabledFolder = isApiKey
-                                     || Array.IndexOf(user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
-                                     // Assume all folders inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.Id) != -1
-                                     // Assume all items inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.ChannelId) != -1;
-
-            if (!isInEnabledFolder)
-            {
-                var collectionFolders = _libraryManager.GetCollectionFolders(item);
-                foreach (var collectionFolder in collectionFolders)
-                {
-                    // api keys never enter this block, so user is never null
-                    if (user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
-                    {
-                        isInEnabledFolder = true;
-                    }
-                }
-            }
-
-            // api keys are always enabled for all folders, so user is never null
             if (item is not UserRootFolder
-                && !isInEnabledFolder
-                && !user!.HasPermission(PermissionKind.EnableAllFolders)
-                && !user.HasPermission(PermissionKind.EnableAllChannels)
-                && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
+                // api keys can always access all folders
+                && !isApiKey
+                // check the item is visible for the user
+                && !item.IsVisible(user))
             {
-                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user.Username, item.Name);
+                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
                 return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
             }
 

From 9f352ccb5b5ab85eac064f70fc819f04984fa0d7 Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Wed, 9 Nov 2022 18:31:30 -0500
Subject: [PATCH 2/3] Fix media folders endpoint access control

---
 Jellyfin.Api/Controllers/LibraryController.cs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Jellyfin.Api/Controllers/LibraryController.cs b/Jellyfin.Api/Controllers/LibraryController.cs
index e9492a6a47..b056215b92 100644
--- a/Jellyfin.Api/Controllers/LibraryController.cs
+++ b/Jellyfin.Api/Controllers/LibraryController.cs
@@ -491,6 +491,12 @@ namespace Jellyfin.Api.Controllers
         {
             var items = _libraryManager.GetUserRootFolder().Children.Concat(_libraryManager.RootFolder.VirtualChildren).OrderBy(i => i.SortName).ToList();
 
+            if (!User.GetIsApiKey() && !User.IsInRole(UserRoles.Administrator))
+            {
+                var user = _userManager.GetUserById(User.GetUserId());
+                items = items.Where(i => i.IsVisible(user)).ToList();
+            }
+
             if (isHidden.HasValue)
             {
                 var val = isHidden.Value;

From c6dbcb661bec6fc02347cd0bdce2e5e6e4ee0dbe Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Thu, 10 Nov 2022 01:04:16 -0500
Subject: [PATCH 3/3] Use elevated access control for media folders endpoint

---
 Jellyfin.Api/Controllers/LibraryController.cs | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/Jellyfin.Api/Controllers/LibraryController.cs b/Jellyfin.Api/Controllers/LibraryController.cs
index b056215b92..7a57bf1a21 100644
--- a/Jellyfin.Api/Controllers/LibraryController.cs
+++ b/Jellyfin.Api/Controllers/LibraryController.cs
@@ -485,18 +485,12 @@ namespace Jellyfin.Api.Controllers
         /// <response code="200">Media folders returned.</response>
         /// <returns>List of user media folders.</returns>
         [HttpGet("Library/MediaFolders")]
-        [Authorize(Policy = Policies.DefaultAuthorization)]
+        [Authorize(Policy = Policies.RequiresElevation)]
         [ProducesResponseType(StatusCodes.Status200OK)]
         public ActionResult<QueryResult<BaseItemDto>> GetMediaFolders([FromQuery] bool? isHidden)
         {
             var items = _libraryManager.GetUserRootFolder().Children.Concat(_libraryManager.RootFolder.VirtualChildren).OrderBy(i => i.SortName).ToList();
 
-            if (!User.GetIsApiKey() && !User.IsInRole(UserRoles.Administrator))
-            {
-                var user = _userManager.GetUserById(User.GetUserId());
-                items = items.Where(i => i.IsVisible(user)).ToList();
-            }
-
             if (isHidden.HasValue)
             {
                 var val = isHidden.Value;