mirror of
https://github.com/jellyfin/jellyfin.git
synced 2026-07-16 05:43:54 +03:00
[Issue]: SessionController permissions #5610
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @bin101 on GitHub (Apr 16, 2024).
Please describe your bug
A user can see every session of every user if they do not provide their own user ID as a query parameter. Instead, it is assumed that the user has administrator rights.
Noticed this as a friend of mine said he can see every session via his homarr dashboard.
Reproduction Steps
Jellyfin Version
10.8.13
if other:
No response
Environment
Jellyfin logs
FFmpeg logs
No response
Please attach any browser or client logs here
No response
Please attach any screenshots here
No response
Code of Conduct
@jellyfin-bot commented on GitHub (Apr 16, 2024):
Hi, it seems like your issue report has the following item(s) that need to be addressed:
This is an automated message, currently under testing. Please file an issue here if you encounter any problems.