From b7e8a0474a9df3b175b587405133898a4b1f7c1c Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Sun, 19 Apr 2026 16:20:31 -0500
Subject: [PATCH] Update bulk download endpoint ensure items are from the same
 library requested

---
 server/controllers/LibraryController.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/controllers/LibraryController.js b/server/controllers/LibraryController.js
index be9d03328..73b3d5c60 100644
--- a/server/controllers/LibraryController.js
+++ b/server/controllers/LibraryController.js
@@ -1435,10 +1435,15 @@ class LibraryController {
     const libraryItems = await Database.libraryItemModel.findAll({
       attributes: ['id', 'libraryId', 'path', 'isFile'],
       where: {
-        id: itemIds
+        id: itemIds,
+        libraryId: req.library.id
       }
     })
 
+    if (libraryItems.length < itemIds.length) {
+      Logger.warn(`[LibraryController] User "${req.user.username}" requested ${itemIds.length} items but only ${libraryItems.length} are in library "${req.library.id}"`)
+    }
+
     Logger.info(`[LibraryController] User "${req.user.username}" requested download for items "${itemIds}"`)
 
     const filename = `LibraryItems-${Date.now()}.zip`