diff options
| author | Cody Robibero <cody@robibe.ro> | 2024-04-14 08:18:36 -0600 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-14 08:18:36 -0600 |
| commit | 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 (patch) | |
| tree | f169e72afeda371db2ffeb1b47c4dd88a03b4744 /Jellyfin.Api/Controllers/VideosController.cs | |
| parent | 9a4db8008593647cb6728b10317680dd3152c934 (diff) | |
Validate item access (#11171)
Diffstat (limited to 'Jellyfin.Api/Controllers/VideosController.cs')
| -rw-r--r-- | Jellyfin.Api/Controllers/VideosController.cs | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/Jellyfin.Api/Controllers/VideosController.cs b/Jellyfin.Api/Controllers/VideosController.cs index 380120032..a9e1d4484 100644 --- a/Jellyfin.Api/Controllers/VideosController.cs +++ b/Jellyfin.Api/Controllers/VideosController.cs @@ -7,7 +7,6 @@ using System.Net.Http; using System.Threading; using System.Threading.Tasks; using Jellyfin.Api.Attributes; -using Jellyfin.Api.Constants; using Jellyfin.Api.Extensions; using Jellyfin.Api.Helpers; using Jellyfin.Api.ModelBinders; @@ -105,7 +104,11 @@ public class VideosController : BaseJellyfinApiController ? (userId.IsNullOrEmpty() ? _libraryManager.RootFolder : _libraryManager.GetUserRootFolder()) - : _libraryManager.GetItemById(itemId); + : _libraryManager.GetItemById<BaseItem>(itemId, user); + if (item is null) + { + return NotFound(); + } var dtoOptions = new DtoOptions(); dtoOptions = dtoOptions.AddClientFields(User); @@ -139,24 +142,23 @@ public class VideosController : BaseJellyfinApiController [ProducesResponseType(StatusCodes.Status404NotFound)] public async Task<ActionResult> DeleteAlternateSources([FromRoute, Required] Guid itemId) { - var video = (Video)_libraryManager.GetItemById(itemId); - - if (video is null) + var item = _libraryManager.GetItemById<Video>(itemId, User.GetUserId()); + if (item is null) { - return NotFound("The video either does not exist or the id does not belong to a video."); + return NotFound(); } - if (video.LinkedAlternateVersions.Length == 0) + if (item.LinkedAlternateVersions.Length == 0) { - video = (Video?)_libraryManager.GetItemById(video.PrimaryVersionId); + item = _libraryManager.GetItemById<Video>(Guid.Parse(item.PrimaryVersionId)); } - if (video is null) + if (item is null) { return NotFound(); } - foreach (var link in video.GetLinkedAlternateVersions()) + foreach (var link in item.GetLinkedAlternateVersions()) { link.SetPrimaryVersionId(null); link.LinkedAlternateVersions = Array.Empty<LinkedChild>(); @@ -164,9 +166,9 @@ public class VideosController : BaseJellyfinApiController await link.UpdateToRepositoryAsync(ItemUpdateType.MetadataEdit, CancellationToken.None).ConfigureAwait(false); } - video.LinkedAlternateVersions = Array.Empty<LinkedChild>(); - video.SetPrimaryVersionId(null); - await video.UpdateToRepositoryAsync(ItemUpdateType.MetadataEdit, CancellationToken.None).ConfigureAwait(false); + item.LinkedAlternateVersions = Array.Empty<LinkedChild>(); + item.SetPrimaryVersionId(null); + await item.UpdateToRepositoryAsync(ItemUpdateType.MetadataEdit, CancellationToken.None).ConfigureAwait(false); return NoContent(); } @@ -184,8 +186,9 @@ public class VideosController : BaseJellyfinApiController [ProducesResponseType(StatusCodes.Status400BadRequest)] public async Task<ActionResult> MergeVersions([FromQuery, Required, ModelBinder(typeof(CommaDelimitedArrayModelBinder))] Guid[] ids) { + var userId = User.GetUserId(); var items = ids - .Select(i => _libraryManager.GetItemById(i)) + .Select(i => _libraryManager.GetItemById<BaseItem>(i, userId)) .OfType<Video>() .OrderBy(i => i.Id) .ToList(); |