From aac01d6d9a2d1943d88daf5ce90587052dd5208e Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Wed, 11 Jun 2025 16:04:18 -0500
Subject: [PATCH 1/3] Update pathexists endpoint to check user has access to
 library

---
 server/controllers/FileSystemController.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/controllers/FileSystemController.js b/server/controllers/FileSystemController.js
index edfd869c..39663d23 100644
--- a/server/controllers/FileSystemController.js
+++ b/server/controllers/FileSystemController.js
@@ -108,6 +108,11 @@ class FileSystemController {
       return res.sendStatus(404)
     }
 
+    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
+      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
+      return res.sendStatus(403)
+    }
+
     const filepath = Path.join(libraryFolder.path, directory)
 
     // Ensure filepath is inside library folder (prevents directory traversal)

From a6f10ca48e923e4418adbb486881ad3942c8771a Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Wed, 11 Jun 2025 16:14:51 -0500
Subject: [PATCH 2/3] Update upload endpoint to check user has access to
 library

---
 server/controllers/MiscController.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server/controllers/MiscController.js b/server/controllers/MiscController.js
index 0e5ad141..c779bdd6 100644
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@@ -59,6 +59,12 @@ class MiscController {
     if (!library) {
       return res.status(404).send('Library not found')
     }
+
+    if (!req.user.checkCanAccessLibrary(library.id)) {
+      Logger.error(`[MiscController] User "${req.user.username}" attempting to upload to library "${library.id}" without access`)
+      return res.sendStatus(403)
+    }
+
     const folder = library.libraryFolders.find((fold) => fold.id === folderId)
     if (!folder) {
       return res.status(404).send('Folder not found')

From 22f6e86a12bd4a52f5cbddd76ea043cae3e3f3d0 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Wed, 11 Jun 2025 16:37:07 -0500
Subject: [PATCH 3/3] Fix pathexists filepath back to posix

---
 server/controllers/FileSystemController.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/controllers/FileSystemController.js b/server/controllers/FileSystemController.js
index 39663d23..4b0a94b3 100644
--- a/server/controllers/FileSystemController.js
+++ b/server/controllers/FileSystemController.js
@@ -113,7 +113,8 @@ class FileSystemController {
       return res.sendStatus(403)
     }
 
-    const filepath = Path.join(libraryFolder.path, directory)
+    let filepath = Path.join(libraryFolder.path, directory)
+    filepath = fileUtils.filePathToPOSIX(filepath)
 
     // Ensure filepath is inside library folder (prevents directory traversal)
     if (!filepath.startsWith(libraryFolder.path)) {