extern/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-06-20 09:48:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update pathexists endpoint to check user has access to library

Browse Source
This commit is contained in:
advplyr 2025-06-11 16:04:18 -05:00
parent 7a33a412fc
commit aac01d6d9a
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/controllers/FileSystemController.js
View File

@ -108,6 +108,11 @@ class FileSystemController {
return res.sendStatus(404)
}
if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
return res.sendStatus(403)
}
const filepath = Path.join(libraryFolder.path, directory)
// Ensure filepath is inside library folder (prevents directory traversal)