From 6c8b40f413bf634705dcfe6df2d7d5f8efc46c43 Mon Sep 17 00:00:00 2001 From: Bill Thornton Date: Wed, 9 Nov 2022 18:02:49 -0500 Subject: [PATCH 1/4] Fix items endpoint not honoring library access control --- Jellyfin.Api/Controllers/ItemsController.cs | 27 ++++----------------- 1 file changed, 5 insertions(+), 22 deletions(-) diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs index 58caae9f85..e5ef6b23e9 100644 --- a/Jellyfin.Api/Controllers/ItemsController.cs +++ b/Jellyfin.Api/Controllers/ItemsController.cs @@ -270,30 +270,13 @@ namespace Jellyfin.Api.Controllers includeItemTypes = new[] { BaseItemKind.Playlist }; } - var enabledChannels = user!.GetPreferenceValues(PreferenceKind.EnabledChannels); - - bool isInEnabledFolder = Array.IndexOf(user.GetPreferenceValues(PreferenceKind.EnabledFolders), item.Id) != -1 - // Assume all folders inside an EnabledChannel are enabled - || Array.IndexOf(enabledChannels, item.Id) != -1 - // Assume all items inside an EnabledChannel are enabled - || Array.IndexOf(enabledChannels, item.ChannelId) != -1; - - var collectionFolders = _libraryManager.GetCollectionFolders(item); - foreach (var collectionFolder in collectionFolders) - { - if (user.GetPreferenceValues(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id)) - { - isInEnabledFolder = true; - } - } - if (item is not UserRootFolder - && !isInEnabledFolder - && !user.HasPermission(PermissionKind.EnableAllFolders) - && !user.HasPermission(PermissionKind.EnableAllChannels) - && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase)) + // api keys can always access all folders + && !ClaimHelpers.GetIsApiKey(User) + // check the item is visible for the user + && !item.IsVisible(user)) { - _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}.", user.Username, item.Name); + _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name); return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}."); } From 4f3d562d75f035f65f90afb7f136b4f4c062ec5d Mon Sep 17 00:00:00 2001 From: Bill Thornton Date: Wed, 9 Nov 2022 18:31:30 -0500 Subject: [PATCH 2/4] Fix media folders endpoint access control --- Jellyfin.Api/Controllers/LibraryController.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Jellyfin.Api/Controllers/LibraryController.cs b/Jellyfin.Api/Controllers/LibraryController.cs index 4cc17dd0fc..9f98a78c2f 100644 --- a/Jellyfin.Api/Controllers/LibraryController.cs +++ b/Jellyfin.Api/Controllers/LibraryController.cs @@ -11,6 +11,7 @@ using System.Threading.Tasks; using Jellyfin.Api.Attributes; using Jellyfin.Api.Constants; using Jellyfin.Api.Extensions; +using Jellyfin.Api.Helpers; using Jellyfin.Api.ModelBinders; using Jellyfin.Api.Models.LibraryDtos; using Jellyfin.Data.Entities; @@ -498,6 +499,12 @@ namespace Jellyfin.Api.Controllers { var items = _libraryManager.GetUserRootFolder().Children.Concat(_libraryManager.RootFolder.VirtualChildren).OrderBy(i => i.SortName).ToList(); + if (!ClaimHelpers.GetIsApiKey(User) && !User.IsInRole(UserRoles.Administrator)) + { + var user = _userManager.GetUserById(ClaimHelpers.GetUserId(User)!.Value); + items = items.Where(i => i.IsVisible(user)).ToList(); + } + if (isHidden.HasValue) { var val = isHidden.Value; From e90031b4cc665c962fbf3cc193b4ab165c9275dd Mon Sep 17 00:00:00 2001 From: Bill Thornton Date: Thu, 10 Nov 2022 01:04:16 -0500 Subject: [PATCH 3/4] Use elevated access control for media folders endpoint --- Jellyfin.Api/Controllers/LibraryController.cs | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/Jellyfin.Api/Controllers/LibraryController.cs b/Jellyfin.Api/Controllers/LibraryController.cs index 9f98a78c2f..dc13773480 100644 --- a/Jellyfin.Api/Controllers/LibraryController.cs +++ b/Jellyfin.Api/Controllers/LibraryController.cs @@ -493,18 +493,12 @@ namespace Jellyfin.Api.Controllers /// Media folders returned. /// List of user media folders. [HttpGet("Library/MediaFolders")] - [Authorize(Policy = Policies.DefaultAuthorization)] + [Authorize(Policy = Policies.RequiresElevation)] [ProducesResponseType(StatusCodes.Status200OK)] public ActionResult> GetMediaFolders([FromQuery] bool? isHidden) { var items = _libraryManager.GetUserRootFolder().Children.Concat(_libraryManager.RootFolder.VirtualChildren).OrderBy(i => i.SortName).ToList(); - if (!ClaimHelpers.GetIsApiKey(User) && !User.IsInRole(UserRoles.Administrator)) - { - var user = _userManager.GetUserById(ClaimHelpers.GetUserId(User)!.Value); - items = items.Where(i => i.IsVisible(user)).ToList(); - } - if (isHidden.HasValue) { var val = isHidden.Value; From 79d7a4d4dfb945d176f2d37768bdcf538ddbbf03 Mon Sep 17 00:00:00 2001 From: Bill Thornton Date: Wed, 16 Nov 2022 10:27:41 -0500 Subject: [PATCH 4/4] Remove unused using statement --- Jellyfin.Api/Controllers/LibraryController.cs | 1 - 1 file changed, 1 deletion(-) diff --git a/Jellyfin.Api/Controllers/LibraryController.cs b/Jellyfin.Api/Controllers/LibraryController.cs index dc13773480..72c9d079a8 100644 --- a/Jellyfin.Api/Controllers/LibraryController.cs +++ b/Jellyfin.Api/Controllers/LibraryController.cs @@ -11,7 +11,6 @@ using System.Threading.Tasks; using Jellyfin.Api.Attributes; using Jellyfin.Api.Constants; using Jellyfin.Api.Extensions; -using Jellyfin.Api.Helpers; using Jellyfin.Api.ModelBinders; using Jellyfin.Api.Models.LibraryDtos; using Jellyfin.Data.Entities;