Validate requested user id (#8812)

author: Cody Robibero <cody@robibe.ro> 2023-02-17 15:16:08 -0700
committer: GitHub <noreply@github.com> 2023-02-17 23:16:08 +0100
commit: a527034ebe31e1aa43c5fd4adb98e8cff871988a (patch)
tree: 9e790c1f87c2d3fbdb784bdc9cce1535fc4e561b /Jellyfin.Api/Controllers/ItemsController.cs
parent: 9979b346ea0392f02922b7cce271f31ccb051987 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 99366e80c..728e62810 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -240,7 +240,8 @@ public class ItemsController : BaseJellyfinApiController
     {
         var isApiKey = User.GetIsApiKey();
         // if api key is used (auth.IsApiKey == true), then `user` will be null throughout this method
-        var user = !isApiKey && userId.HasValue && !userId.Value.Equals(default)
+        userId = RequestHelpers.GetUserId(User, userId);
+        var user = !isApiKey && !userId.Value.Equals(default)
             ? _userManager.GetUserById(userId.Value) ?? throw new ResourceNotFoundException()
             : null;
author	Cody Robibero <cody@robibe.ro>	2023-02-17 15:16:08 -0700
committer	GitHub <noreply@github.com>	2023-02-17 23:16:08 +0100
commit	a527034ebe31e1aa43c5fd4adb98e8cff871988a (patch)
tree	9e790c1f87c2d3fbdb784bdc9cce1535fc4e561b /Jellyfin.Api/Controllers/ItemsController.cs
parent	9979b346ea0392f02922b7cce271f31ccb051987 (diff)