Roku 1.6 Access controls are broken. Leaking restricted search results.

[VideoFX]

Please describe your bug

Describe the bug
For Jellyfin Roku 1.6. The search function is allowing users without access to libraries to see the results of the restricted libraries. However, on other apps such as web browser and android, the access controls are working as expected.

To Reproduce
Search for something you are not supposed to have access to.

Server:
Ubuntu 20.04
Jellyfin.Server 10.8.7.0

Client:
Roku Jellyfin 1.6

Jellyfin Version

10.8.0

if other:

10.8.7.0

Environment

- OS: Ubuntu 20.04
- Virtualization: Xen
- Clients: Roku Jellyfin 1.6

Jellyfin logs

No response

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[VideoFX]

Maybe the reason, or related security issue: #8718

[anthonylavado]

Looks like the latest release of 10.8.8 had at least a partial fix of this issue. I believe the only thing it doesn't cover is Live TV. Can you check and see if it's working as expected?

[VideoFX]

I can confirm it is not working. The new version still leaks search results for movies, and access restrictions are still circumvented. It is most easily observed when using the Jellyfin roku app (which I was told uses the api slightly differently compared to the web version). However, access restriction works for the web version. I never observed a problem with access restrictions when using web browser.

[StevenAlexander44]

Still an issue in 10.8.9

[surepointit]

Can confirm same issue here.

Roku app 1.6 build 3

Jellyfin server 10.8.9