Validate item access (#11171)

author: Cody Robibero <cody@robibe.ro> 2024-04-14 08:18:36 -0600
committer: GitHub <noreply@github.com> 2024-04-14 08:18:36 -0600
commit: 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 (patch)
tree: f169e72afeda371db2ffeb1b47c4dd88a03b4744 /Jellyfin.Api/Controllers/ItemLookupController.cs
parent: 9a4db8008593647cb6728b10317680dd3152c934 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/Jellyfin.Api/Controllers/ItemLookupController.cs b/Jellyfin.Api/Controllers/ItemLookupController.cs
index e3aee1bf7..d009f80a9 100644
--- a/Jellyfin.Api/Controllers/ItemLookupController.cs
+++ b/Jellyfin.Api/Controllers/ItemLookupController.cs
@@ -4,6 +4,8 @@ using System.ComponentModel.DataAnnotations;
 using System.Threading;
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
+using Jellyfin.Api.Extensions;
+using Jellyfin.Api.Helpers;
 using MediaBrowser.Common.Api;
 using MediaBrowser.Controller.Entities;
 using MediaBrowser.Controller.Entities.Audio;
@@ -64,7 +66,7 @@ public class ItemLookupController : BaseJellyfinApiController
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public ActionResult<IEnumerable<ExternalIdInfo>> GetExternalIdInfos([FromRoute, Required] Guid itemId)
     {
-        var item = _libraryManager.GetItemById(itemId);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, User.GetUserId());
         if (item is null)
         {
             return NotFound();
@@ -234,6 +236,7 @@ public class ItemLookupController : BaseJellyfinApiController
     /// <param name="searchResult">The remote search result.</param>
     /// <param name="replaceAllImages">Optional. Whether or not to replace all images. Default: True.</param>
     /// <response code="204">Item metadata refreshed.</response>
+    /// <response code="404">Item not found.</response>
     /// <returns>
     /// A <see cref="Task" /> that represents the asynchronous operation to get the remote search results.
     /// The task result contains an <see cref="NoContentResult"/>.
@@ -241,12 +244,18 @@ public class ItemLookupController : BaseJellyfinApiController
     [HttpPost("Items/RemoteSearch/Apply/{itemId}")]
     [Authorize(Policy = Policies.RequiresElevation)]
     [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult> ApplySearchCriteria(
         [FromRoute, Required] Guid itemId,
         [FromBody, Required] RemoteSearchResult searchResult,
         [FromQuery] bool replaceAllImages = true)
     {
-        var item = _libraryManager.GetItemById(itemId);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, User.GetUserId());
+        if (item is null)
+        {
+            return NotFound();
+        }
+
         _logger.LogInformation(
             "Setting provider id's to item {ItemId}-{ItemName}: {@ProviderIds}",
             item.Id,
author	Cody Robibero <cody@robibe.ro>	2024-04-14 08:18:36 -0600
committer	GitHub <noreply@github.com>	2024-04-14 08:18:36 -0600
commit	6fb6b5f1766a1f37a61b9faaa40209bab995bf30 (patch)
tree	f169e72afeda371db2ffeb1b47c4dd88a03b4744 /Jellyfin.Api/Controllers/ItemLookupController.cs
parent	9a4db8008593647cb6728b10317680dd3152c934 (diff)