Limit sessions per user (#11370)

2025-12-16 22:13:06 +03:00 · 2024-04-21 10:54:49 -06:00
parent 43569082f9
commit 27fae3dd04
2 changed files with 8 additions and 2 deletions
--- a/Jellyfin.Api/Controllers/SessionController.cs
+++ b/Jellyfin.Api/Controllers/SessionController.cs
@@ -84,7 +84,8 @@ public class SessionController : BaseJellyfinApiController

            if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
            {
-                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(controllableByUserId.Value));
+                // User cannot control other user's sessions, validate user id.
+                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(RequestHelpers.GetUserId(User, controllableByUserId)));
            }

            if (!user.HasPermission(PermissionKind.EnableSharedDeviceControl))
@@ -105,6 +106,11 @@ public class SessionController : BaseJellyfinApiController
                return true;
            });
        }
+        else if (!User.IsInRole(UserRoles.Administrator))
+        {
+            // Request isn't from administrator, limit to "own" sessions.
+            result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(User.GetUserId()));
+        }

        if (activeWithinSeconds.HasValue && activeWithinSeconds.Value > 0)
        {