Update pathexists endpoint to check user has access to library

2025-10-27 11:18:14 +01:00 · 2025-06-11 16:04:18 -05:00 · 2025-06-11 16:04:18 -05:00 · aac01d6d9a
commit aac01d6d9a
parent 7a33a412fc
1 changed files with 5 additions and 0 deletions
--- a/server/controllers/FileSystemController.js
+++ b/server/controllers/FileSystemController.js
@ -108,6 +108,11 @@ class FileSystemController {
      return res.sendStatus(404)
    }

+    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
+      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
+      return res.sendStatus(403)
+    }
+
    const filepath = Path.join(libraryFolder.path, directory)

    // Ensure filepath is inside library folder (prevents directory traversal)