Validate item access (#11171)

author: Cody Robibero <cody@robibe.ro> 2024-04-14 08:18:36 -0600
committer: GitHub <noreply@github.com> 2024-04-14 08:18:36 -0600
commit: 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 (patch)
tree: f169e72afeda371db2ffeb1b47c4dd88a03b4744 /Jellyfin.Api/Controllers/PlaystateController.cs
parent: 9a4db8008593647cb6728b10317680dd3152c934 (diff)
1 files changed, 11 insertions, 10 deletions
diff --git a/Jellyfin.Api/Controllers/PlaystateController.cs b/Jellyfin.Api/Controllers/PlaystateController.cs
index 949d101dc..9d6d75681 100644
--- a/Jellyfin.Api/Controllers/PlaystateController.cs
+++ b/Jellyfin.Api/Controllers/PlaystateController.cs
@@ -6,6 +6,7 @@ using Jellyfin.Api.Extensions;
 using Jellyfin.Api.Helpers;
 using Jellyfin.Api.ModelBinders;
 using Jellyfin.Data.Entities;
+using Jellyfin.Extensions;
 using MediaBrowser.Controller.Entities;
 using MediaBrowser.Controller.Library;
 using MediaBrowser.Controller.MediaEncoding;
@@ -76,21 +77,21 @@ public class PlaystateController : BaseJellyfinApiController
         [FromRoute, Required] Guid itemId,
         [FromQuery, ModelBinder(typeof(LegacyDateTimeModelBinder))] DateTime? datePlayed)
     {
-        var requestUserId = RequestHelpers.GetUserId(User, userId);
-        var user = _userManager.GetUserById(requestUserId);
+        userId = RequestHelpers.GetUserId(User, userId);
+        var user = _userManager.GetUserById(userId.Value);
         if (user is null)
         {
             return NotFound();
         }
 
-        var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false);
-
-        var item = _libraryManager.GetItemById(itemId);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
         if (item is null)
         {
             return NotFound();
         }
 
+        var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false);
+
         var dto = UpdatePlayedStatus(user, item, true, datePlayed);
         foreach (var additionalUserInfo in session.AdditionalUsers)
         {
@@ -141,21 +142,21 @@ public class PlaystateController : BaseJellyfinApiController
         [FromQuery] Guid? userId,
         [FromRoute, Required] Guid itemId)
     {
-        var requestUserId = RequestHelpers.GetUserId(User, userId);
-        var user = _userManager.GetUserById(requestUserId);
+        userId = RequestHelpers.GetUserId(User, userId);
+        var user = _userManager.GetUserById(userId.Value);
         if (user is null)
         {
             return NotFound();
         }
 
-        var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false);
-        var item = _libraryManager.GetItemById(itemId);
-
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
         if (item is null)
         {
             return NotFound();
         }
 
+        var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false);
+
         var dto = UpdatePlayedStatus(user, item, false, null);
         foreach (var additionalUserInfo in session.AdditionalUsers)
         {
author	Cody Robibero <cody@robibe.ro>	2024-04-14 08:18:36 -0600
committer	GitHub <noreply@github.com>	2024-04-14 08:18:36 -0600
commit	6fb6b5f1766a1f37a61b9faaa40209bab995bf30 (patch)
tree	f169e72afeda371db2ffeb1b47c4dd88a03b4744 /Jellyfin.Api/Controllers/PlaystateController.cs
parent	9a4db8008593647cb6728b10317680dd3152c934 (diff)