diff options
Diffstat (limited to 'Jellyfin.Api/Controllers/ItemsController.cs')
| -rw-r--r-- | Jellyfin.Api/Controllers/ItemsController.cs | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs index 2a346be68..dd54e6ca7 100644 --- a/Jellyfin.Api/Controllers/ItemsController.cs +++ b/Jellyfin.Api/Controllers/ItemsController.cs @@ -902,6 +902,11 @@ public class ItemsController : BaseJellyfinApiController [FromRoute, Required] Guid userId, [FromRoute, Required] Guid itemId) { + if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, userId, true)) + { + return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data."); + } + var user = _userManager.GetUserById(userId) ?? throw new ResourceNotFoundException(); var item = _libraryManager.GetItemById(itemId); |