aboutsummaryrefslogtreecommitdiff
path: root/Jellyfin.Api/Controllers
diff options
context:
space:
mode:
Diffstat (limited to 'Jellyfin.Api/Controllers')
-rw-r--r--Jellyfin.Api/Controllers/ImageController.cs13
-rw-r--r--Jellyfin.Api/Controllers/ItemsController.cs18
-rw-r--r--Jellyfin.Api/Controllers/UserController.cs23
3 files changed, 37 insertions, 17 deletions
diff --git a/Jellyfin.Api/Controllers/ImageController.cs b/Jellyfin.Api/Controllers/ImageController.cs
index 8e8accab3..8977cfacc 100644
--- a/Jellyfin.Api/Controllers/ImageController.cs
+++ b/Jellyfin.Api/Controllers/ImageController.cs
@@ -109,7 +109,7 @@ public class ImageController : BaseJellyfinApiController
return NotFound();
}
- if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+ if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
{
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the image.");
}
@@ -203,13 +203,18 @@ public class ImageController : BaseJellyfinApiController
[FromQuery] Guid? userId)
{
var requestUserId = RequestHelpers.GetUserId(User, userId);
- if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+ var user = _userManager.GetUserById(requestUserId);
+ if (user is null)
+ {
+ return NotFound();
+ }
+
+ if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
{
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to delete the image.");
}
- var user = _userManager.GetUserById(requestUserId);
- if (user?.ProfileImage is null)
+ if (user.ProfileImage is null)
{
return NoContent();
}
diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index d33634412..828bd5174 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -972,12 +972,17 @@ public class ItemsController : BaseJellyfinApiController
[FromRoute, Required] Guid itemId)
{
var requestUserId = RequestHelpers.GetUserId(User, userId);
- if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+ var user = _userManager.GetUserById(requestUserId);
+ if (user is null)
+ {
+ return NotFound();
+ }
+
+ if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
{
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
}
- var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
if (item is null)
{
@@ -1023,12 +1028,17 @@ public class ItemsController : BaseJellyfinApiController
[FromBody, Required] UpdateUserItemDataDto userDataDto)
{
var requestUserId = RequestHelpers.GetUserId(User, userId);
- if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+ var user = _userManager.GetUserById(requestUserId);
+ if (user is null)
+ {
+ return NotFound();
+ }
+
+ if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
{
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update this item user data.");
}
- var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
if (item is null)
{
diff --git a/Jellyfin.Api/Controllers/UserController.cs b/Jellyfin.Api/Controllers/UserController.cs
index c3923a2ad..2df79c80c 100644
--- a/Jellyfin.Api/Controllers/UserController.cs
+++ b/Jellyfin.Api/Controllers/UserController.cs
@@ -274,16 +274,15 @@ public class UserController : BaseJellyfinApiController
[FromBody, Required] UpdateUserPassword request)
{
var requestUserId = userId ?? User.GetUserId();
- if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+ var user = _userManager.GetUserById(requestUserId);
+ if (user is null)
{
- return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
+ return NotFound();
}
- var user = _userManager.GetUserById(requestUserId);
-
- if (user is null)
+ if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
{
- return NotFound("User not found");
+ return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
}
if (request.ResetPassword)
@@ -386,7 +385,7 @@ public class UserController : BaseJellyfinApiController
return NotFound();
}
- if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+ if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
{
return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
}
@@ -396,7 +395,7 @@ public class UserController : BaseJellyfinApiController
await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
}
- await _userManager.UpdateConfigurationAsync(user.Id, updateUser.Configuration).ConfigureAwait(false);
+ await _userManager.UpdateConfigurationAsync(requestUserId, updateUser.Configuration).ConfigureAwait(false);
return NoContent();
}
@@ -495,7 +494,13 @@ public class UserController : BaseJellyfinApiController
[FromBody, Required] UserConfiguration userConfig)
{
var requestUserId = userId ?? User.GetUserId();
- if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+ var user = _userManager.GetUserById(requestUserId);
+ if (user is null)
+ {
+ return NotFound();
+ }
+
+ if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
{
return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-07 01:08:13 +0000