Update upload endpoint to check user has access to library

Update pathexists endpoint to check user has access to library
Merge pull request #4393 from advplyr/fix_pathexists_join
2026-01-01 20:17:51 -05:00 · 2025-06-11 16:14:51 -05:00 · 2025-06-11 16:04:18 -05:00 · 2025-06-10 17:20:23 -05:00
2 changed files with 11 additions and 0 deletions
--- a/server/controllers/FileSystemController.js
+++ b/server/controllers/FileSystemController.js
@@ -108,6 +108,11 @@ class FileSystemController {
      return res.sendStatus(404)
    }

+    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
+      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
+      return res.sendStatus(403)
+    }
+
    const filepath = Path.join(libraryFolder.path, directory)

    // Ensure filepath is inside library folder (prevents directory traversal)
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@@ -59,6 +59,12 @@ class MiscController {
    if (!library) {
      return res.status(404).send('Library not found')
    }
+
+    if (!req.user.checkCanAccessLibrary(library.id)) {
+      Logger.error(`[MiscController] User "${req.user.username}" attempting to upload to library "${library.id}" without access`)
+      return res.sendStatus(403)
+    }
+
    const folder = library.libraryFolders.find((fold) => fold.id === folderId)
    if (!folder) {
      return res.status(404).send('Folder not found')
Author	SHA1	Message	Date
advplyr	a6f10ca48e	Update upload endpoint to check user has access to library	2025-06-11 16:14:51 -05:00
advplyr	aac01d6d9a	Update pathexists endpoint to check user has access to library	2025-06-11 16:04:18 -05:00
advplyr	7a33a412fc	Merge pull request #4393 from advplyr/fix_pathexists_join Fix filesystem pathexists path join	2025-06-10 17:20:23 -05:00