Validate item access (#11171)

1 files changed, 19 insertions, 39 deletions

diff --git a/Jellyfin.Api/Controllers/LyricsController.cs b/Jellyfin.Api/Controllers/LyricsController.cs
index f2b312b47..8eb4cadf8 100644
--- a/Jellyfin.Api/Controllers/LyricsController.cs
+++ b/Jellyfin.Api/Controllers/LyricsController.cs
@@ -7,6 +7,7 @@ using System.Threading;
 using System.Threading.Tasks;
 using Jellyfin.Api.Attributes;
 using Jellyfin.Api.Extensions;
+using Jellyfin.Api.Helpers;
 using Jellyfin.Extensions;
 using MediaBrowser.Common.Api;
 using MediaBrowser.Controller.Entities.Audio;
@@ -66,37 +67,16 @@ public class LyricsController : BaseJellyfinApiController
     [HttpGet("Audio/{itemId}/Lyrics")]
     [Authorize]
     [ProducesResponseType(StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult<LyricDto>> GetLyrics([FromRoute, Required] Guid itemId)
     {
-        var isApiKey = User.GetIsApiKey();
-        var userId = User.GetUserId();
-        if (!isApiKey && userId.IsEmpty())
-        {
-            return BadRequest();
-        }
-
-        var audio = _libraryManager.GetItemById<Audio>(itemId);
-        if (audio is null)
+        var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
+        if (item is null)
         {
             return NotFound();
         }
 
-        if (!isApiKey)
-        {
-            var user = _userManager.GetUserById(userId);
-            if (user is null)
-            {
-                return NotFound();
-            }
-
-            // Check the item is visible for the user
-            if (!audio.IsVisible(user))
-            {
-                return Unauthorized($"{user.Username} is not permitted to access item {audio.Name}.");
-            }
-        }
-
-        var result = await _lyricManager.GetLyricsAsync(audio, CancellationToken.None).ConfigureAwait(false);
+        var result = await _lyricManager.GetLyricsAsync(item, CancellationToken.None).ConfigureAwait(false);
         if (result is not null)
         {
             return Ok(result);
@@ -124,8 +104,8 @@ public class LyricsController : BaseJellyfinApiController
         [FromRoute, Required] Guid itemId,
         [FromQuery, Required] string fileName)
     {
-        var audio = _libraryManager.GetItemById<Audio>(itemId);
-        if (audio is null)
+        var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
+        if (item is null)
         {
             return NotFound();
         }
@@ -147,7 +127,7 @@ public class LyricsController : BaseJellyfinApiController
         {
             await Request.Body.CopyToAsync(stream).ConfigureAwait(false);
             var uploadedLyric = await _lyricManager.SaveLyricAsync(
-                    audio,
+                    item,
                     format,
                     stream)
                 .ConfigureAwait(false);
@@ -157,7 +137,7 @@ public class LyricsController : BaseJellyfinApiController
                 return BadRequest();
             }
 
-            _providerManager.QueueRefresh(audio.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
+            _providerManager.QueueRefresh(item.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
             return Ok(uploadedLyric);
         }
     }
@@ -176,13 +156,13 @@ public class LyricsController : BaseJellyfinApiController
     public async Task<ActionResult> DeleteLyrics(
         [FromRoute, Required] Guid itemId)
     {
-        var audio = _libraryManager.GetItemById<Audio>(itemId);
-        if (audio is null)
+        var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
+        if (item is null)
         {
             return NotFound();
         }
 
-        await _lyricManager.DeleteLyricsAsync(audio).ConfigureAwait(false);
+        await _lyricManager.DeleteLyricsAsync(item).ConfigureAwait(false);
         return NoContent();
     }
 
@@ -199,13 +179,13 @@ public class LyricsController : BaseJellyfinApiController
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult<IReadOnlyList<RemoteLyricInfoDto>>> SearchRemoteLyrics([FromRoute, Required] Guid itemId)
     {
-        var audio = _libraryManager.GetItemById<Audio>(itemId);
-        if (audio is null)
+        var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
+        if (item is null)
         {
             return NotFound();
         }
 
-        var results = await _lyricManager.SearchLyricsAsync(audio, false, CancellationToken.None).ConfigureAwait(false);
+        var results = await _lyricManager.SearchLyricsAsync(item, false, CancellationToken.None).ConfigureAwait(false);
         return Ok(results);
     }
 
@@ -225,19 +205,19 @@ public class LyricsController : BaseJellyfinApiController
         [FromRoute, Required] Guid itemId,
         [FromRoute, Required] string lyricId)
     {
-        var audio = _libraryManager.GetItemById<Audio>(itemId);
-        if (audio is null)
+        var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
+        if (item is null)
         {
             return NotFound();
         }
 
-        var downloadedLyrics = await _lyricManager.DownloadLyricsAsync(audio, lyricId, CancellationToken.None).ConfigureAwait(false);
+        var downloadedLyrics = await _lyricManager.DownloadLyricsAsync(item, lyricId, CancellationToken.None).ConfigureAwait(false);
         if (downloadedLyrics is null)
         {
             return NotFound();
         }
 
-        _providerManager.QueueRefresh(audio.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
+        _providerManager.QueueRefresh(item.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
         return Ok(downloadedLyrics);
     }