From a87ea327151fcb7ec67ce981bb6a44878a9ab343 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Mon, 13 Oct 2025 09:50:01 -0500
Subject: [PATCH] Fix admin user unable to close sessions of other users #4746

---
 server/controllers/SessionController.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/controllers/SessionController.js b/server/controllers/SessionController.js
index 872f635de..7cc8d35e2 100644
--- a/server/controllers/SessionController.js
+++ b/server/controllers/SessionController.js
@@ -339,9 +339,9 @@ class SessionController {
     var playbackSession = this.playbackSessionManager.getSession(req.params.id)
     if (!playbackSession) return res.sendStatus(404)
 
-    if (playbackSession.userId !== req.user.id) {
-      Logger.error(`[SessionController] User "${req.user.username}" attempting to access session belonging to another user "${req.params.id}"`)
-      return res.sendStatus(404)
+    if (playbackSession.userId !== req.user.id && !req.user.isAdminOrUp) {
+      Logger.error(`[SessionController] Non-admin user "${req.user.username}" attempting to access session belonging to another user "${req.params.id}"`)
+      return res.sendStatus(403)
     }
 
     req.playbackSession = playbackSession