Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

checking user-permission in GetQueryResult #930

Merged
merged 4 commits into from
Feb 20, 2019
Merged

checking user-permission in GetQueryResult #930

merged 4 commits into from
Feb 20, 2019

Conversation

fruhnow
Copy link
Contributor

@fruhnow fruhnow commented Feb 18, 2019

When accessing emby/Users/{UserId}/Items you are able to access Libraries which you arent supposed to be able to access (ticked off in the AdminUI). There might be/are for sure other Endpoints which just blow out data without proper User-Authorization-Checks.

Changes
I added a short User-Access-Validation in GetQueryResult. This leads to Issue #837 being fixed (the View just stays empty). Unsuccessful tries to access a library will be logged as a warning.
(added myself to the Contributors.md, which i forgot last time)

Issues
#837

@fruhnow
checking user-permission in GetQueryResult to prevent accessing the l…
967d5de 
…ibrary without permission but having a link. (+added myself as contributor. forgot last time bout that)
Bond-009
Bond-009 requested changes Feb 18, 2019
View reviewed changes
JustAMan
JustAMan approved these changes Feb 20, 2019
View reviewed changes
Copy link
Contributor

@JustAMan JustAMan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, more security please!

@JustAMan JustAMan merged commit 60df855 into jellyfin:master Feb 20, 2019
@fruhnow fruhnow deleted the AuthorizationCheck branch February 20, 2019 13:03
@pjeanjean pjeanjean mentioned this pull request May 7, 2019
Closed
This was referenced Jun 4, 2019
Closed
Merged
@joern-h joern-h mentioned this pull request Jun 24, 2019
Merged
This was referenced Mar 30, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cvium cvium cvium approved these changes

@JustAMan JustAMan JustAMan approved these changes

@Bond-009 Bond-009 Bond-009 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fruhnow @cvium @JustAMan @Bond-009