4 files changed, 40 insertions, 27 deletions

diff --git a/Jellyfin.Api/Controllers/ImageController.cs b/Jellyfin.Api/Controllers/ImageController.cs
index 8e8accab3..8977cfacc 100644
--- a/Jellyfin.Api/Controllers/ImageController.cs
+++ b/Jellyfin.Api/Controllers/ImageController.cs
@@ -109,7 +109,7 @@ public class ImageController : BaseJellyfinApiController
             return NotFound();
         }
 
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+        if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the image.");
         }
@@ -203,13 +203,18 @@ public class ImageController : BaseJellyfinApiController
         [FromQuery] Guid? userId)
     {
         var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to delete the image.");
         }
 
-        var user = _userManager.GetUserById(requestUserId);
-        if (user?.ProfileImage is null)
+        if (user.ProfileImage is null)
         {
             return NoContent();
         }
diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index d33634412..828bd5174 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -972,12 +972,17 @@ public class ItemsController : BaseJellyfinApiController
         [FromRoute, Required] Guid itemId)
     {
         var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
         }
 
-        var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
         var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
         if (item is null)
         {
@@ -1023,12 +1028,17 @@ public class ItemsController : BaseJellyfinApiController
         [FromBody, Required] UpdateUserItemDataDto userDataDto)
     {
         var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update this item user data.");
         }
 
-        var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
         var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
         if (item is null)
         {
diff --git a/Jellyfin.Api/Controllers/UserController.cs b/Jellyfin.Api/Controllers/UserController.cs
index c3923a2ad..2df79c80c 100644
--- a/Jellyfin.Api/Controllers/UserController.cs
+++ b/Jellyfin.Api/Controllers/UserController.cs
@@ -274,16 +274,15 @@ public class UserController : BaseJellyfinApiController
         [FromBody, Required] UpdateUserPassword request)
     {
         var requestUserId = userId ?? User.GetUserId();
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
         {
-            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
+            return NotFound();
         }
 
-        var user = _userManager.GetUserById(requestUserId);
-
-        if (user is null)
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
-            return NotFound("User not found");
+            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
         }
 
         if (request.ResetPassword)
@@ -386,7 +385,7 @@ public class UserController : BaseJellyfinApiController
             return NotFound();
         }
 
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
         }
@@ -396,7 +395,7 @@ public class UserController : BaseJellyfinApiController
             await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
         }
 
-        await _userManager.UpdateConfigurationAsync(user.Id, updateUser.Configuration).ConfigureAwait(false);
+        await _userManager.UpdateConfigurationAsync(requestUserId, updateUser.Configuration).ConfigureAwait(false);
 
         return NoContent();
     }
@@ -495,7 +494,13 @@ public class UserController : BaseJellyfinApiController
         [FromBody, Required] UserConfiguration userConfig)
     {
         var requestUserId = userId ?? User.GetUserId();
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
         }
diff --git a/Jellyfin.Api/Helpers/RequestHelpers.cs b/Jellyfin.Api/Helpers/RequestHelpers.cs
index a3d7f471e..1d9c189a0 100644
--- a/Jellyfin.Api/Helpers/RequestHelpers.cs
+++ b/Jellyfin.Api/Helpers/RequestHelpers.cs
@@ -86,18 +86,17 @@ public static class RequestHelpers
     /// <summary>
     /// Checks if the user can update an entry.
     /// </summary>
-    /// <param name="userManager">An instance of the <see cref="IUserManager"/> interface.</param>
     /// <param name="claimsPrincipal">The <see cref="ClaimsPrincipal"/> for the current request.</param>
-    /// <param name="userId">The user id.</param>
+    /// <param name="user">The user id.</param>
     /// <param name="restrictUserPreferences">Whether to restrict the user preferences.</param>
     /// <returns>A <see cref="bool"/> whether the user can update the entry.</returns>
-    internal static bool AssertCanUpdateUser(IUserManager userManager, ClaimsPrincipal claimsPrincipal, Guid userId, bool restrictUserPreferences)
+    internal static bool AssertCanUpdateUser(ClaimsPrincipal claimsPrincipal, User user, bool restrictUserPreferences)
     {
         var authenticatedUserId = claimsPrincipal.GetUserId();
         var isAdministrator = claimsPrincipal.IsInRole(UserRoles.Administrator);
 
         // If they're going to update the record of another user, they must be an administrator
-        if (!userId.Equals(authenticatedUserId) && !isAdministrator)
+        if (!user.Id.Equals(authenticatedUserId) && !isAdministrator)
         {
             return false;
         }
@@ -108,12 +107,6 @@ public static class RequestHelpers
             return true;
         }
 
-        var user = userManager.GetUserById(userId);
-        if (user is null)
-        {
-            throw new ResourceNotFoundException();
-        }
-
         return user.EnableUserPreferenceAccess;
     }