Library access controls do not prevent API listing of all server content #4342

New Issue

Closed

opened 2026-02-07 00:45:27 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-07 00:45:27 +03:00

Owner

Copy Link

Originally created by @thornbill on GitHub (Nov 9, 2022).

Originally assigned to: @Shadowghost on GitHub.

Please describe your bug

Limiting a user's access to libraries does not prevent them from discovering and listing the contents of all libraries on a server via the API. Similarly disabling live TV access does not prevent a user from listing all TV channels via the API.

1. Disable a user's access to all libraries and live TV in the admin dashboard.
2. Verify that the Policy returned by /Users/{USER_ID} includes:
   • EnableAllFolders: false
   • EnabledFolders: []
   • EnableLiveTvAccess: false
3. Make a request to /Library/MediaFolders and observe that a list of ALL libraries are returned.
4. Using a library ID returned in the previous step, make a request to /Users/{USER_ID}/Items?ParentId={LIBRARY_ID} and observe that a list of ALL library contents are returned.
5. Make a request to /LiveTv/Channels and observe that a list of ALL channels are returned.

Jellyfin Version

likely all, tested on 10.8.1, 10.8.7, and unstable

Code of Conduct

• I agree to follow this project's Code of Conduct

Originally created by @thornbill on GitHub (Nov 9, 2022). Originally assigned to: @Shadowghost on GitHub. ### Please describe your bug Limiting a user's access to libraries does not prevent them from discovering and listing the contents of all libraries on a server via the API. Similarly disabling live TV access does not prevent a user from listing all TV channels via the API. 1. Disable a user's access to all libraries and live TV in the admin dashboard. 2. Verify that the `Policy` returned by `/Users/{USER_ID}` includes: * `EnableAllFolders: false` * `EnabledFolders: []` * `EnableLiveTvAccess: false` 3. Make a request to `/Library/MediaFolders` and observe that a list of ALL libraries are returned. 4. Using a library ID returned in the previous step, make a request to `/Users/{USER_ID}/Items?ParentId={LIBRARY_ID}` and observe that a list of ALL library contents are returned. 5. Make a request to `/LiveTv/Channels` and observe that a list of ALL channels are returned. ### Jellyfin Version likely all, tested on 10.8.1, 10.8.7, and unstable ### Code of Conduct - [X] I agree to follow this project's Code of Conduct

OVERLORD added the bugsecurity labels 2026-02-07 00:45:27 +03:00

OVERLORD closed this issue 2026-02-07 00:45:28 +03:00

OVERLORD commented 2026-02-07 00:45:29 +03:00

Author

Owner

Copy Link

@VideoFX commented on GitHub (Nov 12, 2022):

Oh I got this too, i posted this before i noticed your post: https://github.com/jellyfin/jellyfin/issues/8730

@VideoFX commented on GitHub (Nov 12, 2022): Oh I got this too, i posted this before i noticed your post: https://github.com/jellyfin/jellyfin/issues/8730

OVERLORD commented 2026-02-07 00:45:31 +03:00

Author

Owner

Copy Link

@Shadowghost commented on GitHub (May 15, 2023):

All ACL issues listed are fixed in current master.

@Shadowghost commented on GitHub (May 15, 2023): All ACL issues listed are fixed in current master.

OVERLORD referenced this issue 2026-02-07 06:12:56 +03:00

[PR #4342] [MERGED] Add BaseItemManager #10035

OVERLORD referenced this issue 2026-02-07 06:13:16 +03:00

[PR #4394] [CLOSED] BaseItemManager - 2 #10055

OVERLORD referenced this issue 2026-02-07 06:33:35 +03:00

[PR #6849] [MERGED] Actually check server disabled metadata providers #11165

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

release-10.11.z

renovate/skiasharp-monorepo

JPVenson-patch-1

renovate/morestachio-5.x

release-10.9.z

openapi-cache

release-10.10.z

explicit-load

explicit-load-v2

feature/entity-framework

only-count-folder-item

fix/ci-workflow-refactor

release-10.8.z

release-10.7.z

EraYaN-add-management-interface

release-10.6.z

release-10.5.z

release-10.4.z

release-10.3.z

release-10.2.z

release-10.1.0

v10.11.6

v10.11.5

v10.11.4

v10.11.3

v10.11.2

v10.11.1

v10.11.0

v10.11.0-rc9

v10.11.0-rc8

v10.11.0-rc7

v10.11.0-rc6

v10.11.0-rc5

v10.11.0-rc4

v10.11.0-rc3

v10.11.0-rc2

v10.11.0-rc1

v10.10.7

v10.10.6

v10.10.5

v10.10.4

v10.10.3

v10.10.2

v10.10.1

v10.10.0

v10.9.11

v10.9.10

v10.9.9

v10.9.8

v10.9.7

v10.9.6

v10.9.5

v10.9.4

v10.9.3

v10.9.2

v10.9.1

v10.9.0

v10.8.13

v10.8.12

v10.8.11

v10.8.10

v10.8.9

v10.8.8

v10.8.7

v10.8.6

v10.8.5

v10.8.4

v10.8.3

v10.8.2

v10.8.1

v10.8.0

v10.8.0-beta3

v10.8.0-beta2

v10.8.0-beta1

v10.8.0-alpha5

v10.8.0-alpha4

v10.8.0-alpha3

v10.8.0-alpha2

v10.8.0-alpha1

v10.7.7

v10.7.6

v10.7.5

v10.7.4

v10.7.3

v10.7.2

v10.7.1

v10.7.0

v10.7.0-rc4

v10.7.0-rc3

v10.7.0-rc2

v10.7.0-rc1

v10.6.4

v10.6.3

v10.6.2

v10.6.1

v10.6.0

v10.5.5

v10.5.4

v10.5.3

v10.5.2

v10.5.1

v10.5.0

v10.4.3

v10.4.2

v10.4.1

v10.4.0

v10.3.7

v10.3.6

v10.3.5

v10.3.4

v10.3.3

v10.3.2

v10.3.1

v10.3.0

v10.3.0-rc2

v10.3.0-rc1

v10.2.2

v10.2.1

v10.2.0

v10.1.0

v10.0.1

v10.0.0

v10.0.2

v3.5.2-5

Labels

Clear labels

EFjellyfin.db

area:database

awaiting-feedback

backend

blocked

breaking change: web api

bug

build

ci

confirmed

discussion needed

dotnet future

downstream

duplicate

enhancement

feature

future

github-actions

good first issue

hdr

help wanted

invalid

investigation

librarydb

live-tv

lyrics

media playback

music

needs testing

nuget

performance

platform

pull-request

Mirrored from GitHub Pull Request

question

regression

release critical

requires-web

roadmap

security

security

stale

support

syncplay

ui & ux

upstream

wontfix

No Label bug security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#4342