From 9f352ccb5b5ab85eac064f70fc819f04984fa0d7 Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Wed, 9 Nov 2022 18:31:30 -0500
Subject: [PATCH] Fix media folders endpoint access control

---
 Jellyfin.Api/Controllers/LibraryController.cs | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Jellyfin.Api/Controllers/LibraryController.cs b/Jellyfin.Api/Controllers/LibraryController.cs
index e9492a6a47..b056215b92 100644
--- a/Jellyfin.Api/Controllers/LibraryController.cs
+++ b/Jellyfin.Api/Controllers/LibraryController.cs
@@ -491,6 +491,12 @@ namespace Jellyfin.Api.Controllers
         {
             var items = _libraryManager.GetUserRootFolder().Children.Concat(_libraryManager.RootFolder.VirtualChildren).OrderBy(i => i.SortName).ToList();
 
+            if (!User.GetIsApiKey() && !User.IsInRole(UserRoles.Administrator))
+            {
+                var user = _userManager.GetUserById(User.GetUserId());
+                items = items.Where(i => i.IsVisible(user)).ToList();
+            }
+
             if (isHidden.HasValue)
             {
                 var val = isHidden.Value;