diff --git a/server/controllers/FileSystemController.js b/server/controllers/FileSystemController.js
index 422089ba..370f12b4 100644
--- a/server/controllers/FileSystemController.js
+++ b/server/controllers/FileSystemController.js
@@ -125,7 +125,13 @@ class FileSystemController {
       return res.sendStatus(404)
     }
 
-    const filepath = Path.join(libraryFolder.path, directory)
+    if (!req.user.checkCanAccessLibrary(libraryFolder.libraryId)) {
+      Logger.error(`[FileSystemController] User "${req.user.username}" attempting to check path exists for library "${libraryFolder.libraryId}" without access`)
+      return res.sendStatus(403)
+    }
+
+    let filepath = Path.join(libraryFolder.path, directory)
+    filepath = fileUtils.filePathToPOSIX(filepath)
 
     // Ensure filepath is inside library folder (prevents directory traversal) (And convert libraryFolder to Path to normalize)
     if (!filepath.startsWith(Path.join(libraryFolder.path))) {
diff --git a/server/controllers/MiscController.js b/server/controllers/MiscController.js
index 0e5ad141..c779bdd6 100644
--- a/server/controllers/MiscController.js
+++ b/server/controllers/MiscController.js
@@ -59,6 +59,12 @@ class MiscController {
     if (!library) {
       return res.status(404).send('Library not found')
     }
+
+    if (!req.user.checkCanAccessLibrary(library.id)) {
+      Logger.error(`[MiscController] User "${req.user.username}" attempting to upload to library "${library.id}" without access`)
+      return res.sendStatus(403)
+    }
+
     const folder = library.libraryFolders.find((fold) => fold.id === folderId)
     if (!folder) {
       return res.status(404).send('Folder not found')