Added access validation to view item user data.

author: ArabCoders <admin@arabcoders.org> 2023-11-13 15:55:12 +0300
committer: ArabCoders <admin@arabcoders.org> 2023-11-13 15:55:12 +0300
commit: faa036aa7b696fd5091e52fd2bed6ed67ca63481 (patch)
tree: a56ccdfbb1c2356f3db95c650f01534cc8426326 /Jellyfin.Api/Controllers/ItemsController.cs
parent: 2a25c5a2e3e37e734993d17b7462598babcb0b97 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 2a346be68..dd54e6ca7 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -902,6 +902,11 @@ public class ItemsController : BaseJellyfinApiController
         [FromRoute, Required] Guid userId,
         [FromRoute, Required] Guid itemId)
     {
+        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, userId, true))
+        {
+            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
+        }
+
         var user = _userManager.GetUserById(userId) ?? throw new ResourceNotFoundException();
         var item = _libraryManager.GetItemById(itemId);
author	ArabCoders <admin@arabcoders.org>	2023-11-13 15:55:12 +0300
committer	ArabCoders <admin@arabcoders.org>	2023-11-13 15:55:12 +0300
commit	faa036aa7b696fd5091e52fd2bed6ed67ca63481 (patch)
tree	a56ccdfbb1c2356f3db95c650f01534cc8426326 /Jellyfin.Api/Controllers/ItemsController.cs
parent	2a25c5a2e3e37e734993d17b7462598babcb0b97 (diff)