6 files changed, 48 insertions, 27 deletions

diff --git a/Jellyfin.Api/Controllers/ImageController.cs b/Jellyfin.Api/Controllers/ImageController.cs
index 6a169eae3a..b711990261 100644
--- a/Jellyfin.Api/Controllers/ImageController.cs
+++ b/Jellyfin.Api/Controllers/ImageController.cs
@@ -109,7 +109,7 @@ public class ImageController : BaseJellyfinApiController
             return NotFound();
         }
 
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+        if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the image.");
         }
@@ -203,13 +203,18 @@ public class ImageController : BaseJellyfinApiController
         [FromQuery] Guid? userId)
     {
         var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to delete the image.");
         }
 
-        var user = _userManager.GetUserById(requestUserId);
-        if (user?.ProfileImage is null)
+        if (user.ProfileImage is null)
         {
             return NoContent();
         }
diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index d33634412b..828bd51740 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -972,12 +972,17 @@ public class ItemsController : BaseJellyfinApiController
         [FromRoute, Required] Guid itemId)
     {
         var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
         }
 
-        var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
         var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
         if (item is null)
         {
@@ -1023,12 +1028,17 @@ public class ItemsController : BaseJellyfinApiController
         [FromBody, Required] UpdateUserItemDataDto userDataDto)
     {
         var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update this item user data.");
         }
 
-        var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
         var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
         if (item is null)
         {
diff --git a/Jellyfin.Api/Controllers/TvShowsController.cs b/Jellyfin.Api/Controllers/TvShowsController.cs
index 4264026670..914ccd7f93 100644
--- a/Jellyfin.Api/Controllers/TvShowsController.cs
+++ b/Jellyfin.Api/Controllers/TvShowsController.cs
@@ -90,7 +90,12 @@ public class TvShowsController : BaseJellyfinApiController
         [FromQuery] bool enableResumable = true,
         [FromQuery] bool enableRewatching = false)
     {
-        userId = RequestHelpers.GetUserId(User, userId);
+        var user = _userManager.GetUserById(RequestHelpers.GetUserId(User, userId));
+        if (user is null)
+        {
+            return NotFound();
+        }
+
         var options = new DtoOptions { Fields = fields }
             .AddClientFields(User)
             .AddAdditionalDtoOptions(enableImages, enableUserData, imageTypeLimit, enableImageTypes);
@@ -102,7 +107,7 @@ public class TvShowsController : BaseJellyfinApiController
                 ParentId = parentId,
                 SeriesId = seriesId,
                 StartIndex = startIndex,
-                UserId = userId.Value,
+                User = user,
                 EnableTotalRecordCount = enableTotalRecordCount,
                 DisableFirstEpisode = disableFirstEpisode,
                 NextUpDateCutoff = nextUpDateCutoff ?? DateTime.MinValue,
@@ -111,10 +116,6 @@ public class TvShowsController : BaseJellyfinApiController
             },
             options);
 
-        var user = userId.IsNullOrEmpty()
-            ? null
-            : _userManager.GetUserById(userId.Value);
-
         var returnItems = _dtoService.GetBaseItemDtos(result.Items, options, user);
 
         return new QueryResult<BaseItemDto>(
diff --git a/Jellyfin.Api/Controllers/UserController.cs b/Jellyfin.Api/Controllers/UserController.cs
index c3923a2ada..2df79c80cb 100644
--- a/Jellyfin.Api/Controllers/UserController.cs
+++ b/Jellyfin.Api/Controllers/UserController.cs
@@ -274,16 +274,15 @@ public class UserController : BaseJellyfinApiController
         [FromBody, Required] UpdateUserPassword request)
     {
         var requestUserId = userId ?? User.GetUserId();
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
         {
-            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
+            return NotFound();
         }
 
-        var user = _userManager.GetUserById(requestUserId);
-
-        if (user is null)
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
-            return NotFound("User not found");
+            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
         }
 
         if (request.ResetPassword)
@@ -386,7 +385,7 @@ public class UserController : BaseJellyfinApiController
             return NotFound();
         }
 
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
         }
@@ -396,7 +395,7 @@ public class UserController : BaseJellyfinApiController
             await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
         }
 
-        await _userManager.UpdateConfigurationAsync(user.Id, updateUser.Configuration).ConfigureAwait(false);
+        await _userManager.UpdateConfigurationAsync(requestUserId, updateUser.Configuration).ConfigureAwait(false);
 
         return NoContent();
     }
@@ -495,7 +494,13 @@ public class UserController : BaseJellyfinApiController
         [FromBody, Required] UserConfiguration userConfig)
     {
         var requestUserId = userId ?? User.GetUserId();
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
         {
             return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
         }
diff --git a/Jellyfin.Api/Controllers/UserLibraryController.cs b/Jellyfin.Api/Controllers/UserLibraryController.cs
index 421f1bfb53..e7bf717274 100644
--- a/Jellyfin.Api/Controllers/UserLibraryController.cs
+++ b/Jellyfin.Api/Controllers/UserLibraryController.cs
@@ -560,7 +560,7 @@ public class UserLibraryController : BaseJellyfinApiController
                 IsPlayed = isPlayed,
                 Limit = limit,
                 ParentId = parentId ?? Guid.Empty,
-                UserId = requestUserId,
+                User = user,
             },
             dtoOptions);
 
diff --git a/Jellyfin.Api/Controllers/UserViewsController.cs b/Jellyfin.Api/Controllers/UserViewsController.cs
index 01da50d02a..e24f78a888 100644
--- a/Jellyfin.Api/Controllers/UserViewsController.cs
+++ b/Jellyfin.Api/Controllers/UserViewsController.cs
@@ -8,6 +8,7 @@ using Jellyfin.Api.Helpers;
 using Jellyfin.Api.ModelBinders;
 using Jellyfin.Api.Models.UserViewDtos;
 using Jellyfin.Data.Enums;
+using MediaBrowser.Common.Extensions;
 using MediaBrowser.Controller.Dto;
 using MediaBrowser.Controller.Entities;
 using MediaBrowser.Controller.Library;
@@ -69,8 +70,9 @@ public class UserViewsController : BaseJellyfinApiController
         [FromQuery] bool includeHidden = false)
     {
         userId = RequestHelpers.GetUserId(User, userId);
+        var user = _userManager.GetUserById(userId.Value) ?? throw new ResourceNotFoundException();
 
-        var query = new UserViewQuery { UserId = userId.Value, IncludeHidden = includeHidden };
+        var query = new UserViewQuery { User = user, IncludeHidden = includeHidden };
 
         if (includeExternalContent.HasValue)
         {
@@ -87,8 +89,6 @@ public class UserViewsController : BaseJellyfinApiController
         var dtoOptions = new DtoOptions().AddClientFields(User);
         dtoOptions.Fields = [..dtoOptions.Fields, ItemFields.PrimaryImageAspectRatio, ItemFields.DisplayPreferencesId];
 
-        var user = _userManager.GetUserById(userId.Value);
-
         var dtos = Array.ConvertAll(folders, i => _dtoService.GetBaseItemDto(i, dtoOptions, user));
 
         return new QueryResult<BaseItemDto>(dtos);