[PR #930] [MERGED] checking user-permission in GetQueryResult #8570

New Issue

OVERLORD · 2026-02-07T05:46:43+03:00

OVERLORD commented

2026-02-07 05:46:43 +03:00

📋 Pull Request Information

Original PR: https://github.com/jellyfin/jellyfin/pull/930
Author: @fruhnow
Created: 2/18/2019
Status: ✅ Merged
Merged: 2/20/2019
Merged by: @JustAMan

Base: master ← Head: AuthorizationCheck

📝 Commits (4)

967d5de checking user-permission in GetQueryResult to prevent accessing the library without permission but having a link. (+added myself as contributor. forgot last time bout that)
1d63154 adressing pr comments
ba003e0 adressing pr comments
53beebc switching logging to serilog convention according to pr comments

📊 Changes

2 files changed (+12 additions, -0 deletions)

View changed files

📝 CONTRIBUTORS.md (+1 -0)
📝 MediaBrowser.Api/UserLibrary/ItemsService.cs (+11 -0)

📄 Description

When accessing emby/Users/{UserId}/Items you are able to access Libraries which you arent supposed to be able to access (ticked off in the AdminUI). There might be/are for sure other Endpoints which just blow out data without proper User-Authorization-Checks.

Changes
I added a short User-Access-Validation in GetQueryResult. This leads to Issue #837 being fixed (the View just stays empty). Unsuccessful tries to access a library will be logged as a warning.
(added myself to the Contributors.md, which i forgot last time)

Issues
#837

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/jellyfin/jellyfin/pull/930 **Author:** [@fruhnow](https://github.com/fruhnow) **Created:** 2/18/2019 **Status:** ✅ Merged **Merged:** 2/20/2019 **Merged by:** [@JustAMan](https://github.com/JustAMan) **Base:** `master` ← **Head:** `AuthorizationCheck` --- ### 📝 Commits (4) - [`967d5de`](https://github.com/jellyfin/jellyfin/commit/967d5deeb79405ce7122c6124dac019b278ca70b) checking user-permission in GetQueryResult to prevent accessing the library without permission but having a link. (+added myself as contributor. forgot last time bout that) - [`1d63154`](https://github.com/jellyfin/jellyfin/commit/1d631540ace68a8079aba7f5a4d790397bcd3317) adressing pr comments - [`ba003e0`](https://github.com/jellyfin/jellyfin/commit/ba003e06efd55bc599cbd8c29be6a41b21e3c35e) adressing pr comments - [`53beebc`](https://github.com/jellyfin/jellyfin/commit/53beebc77415d9020bedb385483851e7bb96a929) switching logging to serilog convention according to pr comments ### 📊 Changes **2 files changed** (+12 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `CONTRIBUTORS.md` (+1 -0) 📝 `MediaBrowser.Api/UserLibrary/ItemsService.cs` (+11 -0) </details> ### 📄 Description When accessing `emby/Users/{UserId}/Items` you are able to access Libraries which you arent supposed to be able to access (ticked off in the AdminUI). There might be/are for sure other Endpoints which just blow out data without proper User-Authorization-Checks. **Changes** I added a short User-Access-Validation in GetQueryResult. This leads to Issue #837 being fixed (the View just stays empty). Unsuccessful tries to access a library will be logged as a warning. (added myself to the Contributors.md, which i forgot last time) **Issues** #837 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

OVERLORD added the pull-request label 2026-02-07 05:46:43 +03:00

OVERLORD closed this issue

2026-02-07 05:46:43 +03:00

OVERLORD referenced this issue

2026-02-07 07:02:01 +03:00

[PR #11227] Fix incorrect artwork displayed when playing audio #12803

Sign in to join this conversation.

Branches Tags

master

renovate/major-swashbuckle-aspnetcore-monorepo

renovate/microsoft

renovate/skiasharp-monorepo

JPVenson-patch-1

release-10.11.z

renovate/morestachio-5.x

release-10.9.z

openapi-cache

release-10.10.z

explicit-load

explicit-load-v2

feature/entity-framework

only-count-folder-item

fix/ci-workflow-refactor

release-10.8.z

release-10.7.z

EraYaN-add-management-interface

release-10.6.z

release-10.5.z

release-10.4.z

release-10.3.z

release-10.2.z

release-10.1.0

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/jellyfin#8570