Validate item access (#11171)

author: Cody Robibero <cody@robibe.ro> 2024-04-14 08:18:36 -0600
committer: GitHub <noreply@github.com> 2024-04-14 08:18:36 -0600
commit: 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 (patch)
tree: f169e72afeda371db2ffeb1b47c4dd88a03b4744 /Jellyfin.Api/Controllers/ItemUpdateController.cs
parent: 9a4db8008593647cb6728b10317680dd3152c934 (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/Jellyfin.Api/Controllers/ItemUpdateController.cs b/Jellyfin.Api/Controllers/ItemUpdateController.cs
index 9800248c6..83f308bb1 100644
--- a/Jellyfin.Api/Controllers/ItemUpdateController.cs
+++ b/Jellyfin.Api/Controllers/ItemUpdateController.cs
@@ -5,6 +5,8 @@ using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
+using Jellyfin.Api.Extensions;
+using Jellyfin.Api.Helpers;
 using Jellyfin.Data.Enums;
 using MediaBrowser.Common.Api;
 using MediaBrowser.Controller.Configuration;
@@ -72,7 +74,7 @@ public class ItemUpdateController : BaseJellyfinApiController
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult> UpdateItem([FromRoute, Required] Guid itemId, [FromBody, Required] BaseItemDto request)
     {
-        var item = _libraryManager.GetItemById(itemId);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, User.GetUserId());
         if (item is null)
         {
             return NotFound();
@@ -145,7 +147,11 @@ public class ItemUpdateController : BaseJellyfinApiController
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public ActionResult<MetadataEditorInfo> GetMetadataEditorInfo([FromRoute, Required] Guid itemId)
     {
-        var item = _libraryManager.GetItemById(itemId);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, User.GetUserId());
+        if (item is null)
+        {
+            return NotFound();
+        }
 
         var info = new MetadataEditorInfo
         {
@@ -197,7 +203,7 @@ public class ItemUpdateController : BaseJellyfinApiController
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public ActionResult UpdateItemContentType([FromRoute, Required] Guid itemId, [FromQuery] string? contentType)
     {
-        var item = _libraryManager.GetItemById(itemId);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, User.GetUserId());
         if (item is null)
         {
             return NotFound();
author	Cody Robibero <cody@robibe.ro>	2024-04-14 08:18:36 -0600
committer	GitHub <noreply@github.com>	2024-04-14 08:18:36 -0600
commit	6fb6b5f1766a1f37a61b9faaa40209bab995bf30 (patch)
tree	f169e72afeda371db2ffeb1b47c4dd88a03b4744 /Jellyfin.Api/Controllers/ItemUpdateController.cs
parent	9a4db8008593647cb6728b10317680dd3152c934 (diff)