Merge branch 'master' into master

1 files changed, 29 insertions, 10 deletions

diff --git a/Jellyfin.Api/Controllers/PlaylistsController.cs b/Jellyfin.Api/Controllers/PlaylistsController.cs
index ec5fdab38..79c71d23a 100644
--- a/Jellyfin.Api/Controllers/PlaylistsController.cs
+++ b/Jellyfin.Api/Controllers/PlaylistsController.cs
@@ -450,22 +450,41 @@ public class PlaylistsController : BaseJellyfinApiController
     {
         var callingUserId = User.GetUserId();
 
-        var playlist = _playlistManager.GetPlaylistForUser(Guid.Parse(playlistId), callingUserId);
-        if (playlist is null)
+        if (!callingUserId.IsEmpty())
         {
-            return NotFound("Playlist not found");
+            var playlist = _playlistManager.GetPlaylistForUser(Guid.Parse(playlistId), callingUserId);
+            if (playlist is null)
+            {
+                return NotFound("Playlist not found");
+            }
+
+            var isPermitted = playlist.OwnerUserId.Equals(callingUserId)
+                              || playlist.Shares.Any(s => s.CanEdit && s.UserId.Equals(callingUserId));
+
+            if (!isPermitted)
+            {
+                return Forbid();
+            }
         }
+        else
+        {
+            var isApiKey = User.GetIsApiKey();
 
-        var isPermitted = playlist.OwnerUserId.Equals(callingUserId)
-            || playlist.Shares.Any(s => s.CanEdit && s.UserId.Equals(callingUserId));
+            if (!isApiKey)
+            {
+                return Forbid();
+            }
+        }
 
-        if (!isPermitted)
+        try
         {
-            return Forbid();
+            await _playlistManager.RemoveItemFromPlaylistAsync(playlistId, entryIds).ConfigureAwait(false);
+            return NoContent();
+        }
+        catch (ArgumentException)
+        {
+            return NotFound();
         }
-
-        await _playlistManager.RemoveItemFromPlaylistAsync(playlistId, entryIds).ConfigureAwait(false);
-        return NoContent();
     }
 
     /// <summary>