Merge pull request #4398 from advplyr/pathexists_user_access

Update pathexists endpoint to check user has access to library

server/controllers/FileSystemController.js

@@ -108,6 +108,11 @@ class FileSystemController {
       return res.sendStatus(404)
     }
 
+    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
+      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
+      return res.sendStatus(403)
+    }
+
     const filepath = Path.join(libraryFolder.path, directory)
 
     // Ensure filepath is inside library folder (prevents directory traversal)

server/controllers/MiscController.js

@@ -59,6 +59,12 @@ class MiscController {
     if (!library) {
       return res.status(404).send('Library not found')
     }
+
+    if (!req.user.checkCanAccessLibrary(library.id)) {
+      Logger.error(`[MiscController] User "${req.user.username}" attempting to upload to library "${library.id}" without access`)
+      return res.sendStatus(403)
+    }
+
     const folder = library.libraryFolders.find((fold) => fold.id === folderId)
     if (!folder) {
       return res.status(404).send('Folder not found')