From 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 Mon Sep 17 00:00:00 2001 From: Cody Robibero Date: Sun, 14 Apr 2024 08:18:36 -0600 Subject: Validate item access (#11171) --- Jellyfin.Api/Controllers/ItemsController.cs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'Jellyfin.Api/Controllers/ItemsController.cs') diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs index 26ae1a820..6ffe6e7da 100644 --- a/Jellyfin.Api/Controllers/ItemsController.cs +++ b/Jellyfin.Api/Controllers/ItemsController.cs @@ -967,9 +967,13 @@ public class ItemsController : BaseJellyfinApiController } var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException(); - var item = _libraryManager.GetItemById(itemId); + var item = _libraryManager.GetItemById(itemId, user); + if (item is null) + { + return NotFound(); + } - return (item == null) ? NotFound() : _userDataRepository.GetUserDataDto(item, user); + return _userDataRepository.GetUserDataDto(item, user); } /// @@ -1014,8 +1018,8 @@ public class ItemsController : BaseJellyfinApiController } var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException(); - var item = _libraryManager.GetItemById(itemId); - if (item == null) + var item = _libraryManager.GetItemById(itemId, user); + if (item is null) { return NotFound(); } -- cgit v1.2.3 From 5dc6bb4910cfdc7f40ad83d647172d743e6e0595 Mon Sep 17 00:00:00 2001 From: gnattu Date: Wed, 1 May 2024 03:32:49 +0800 Subject: Fix incomplete tag query for whitelist tags (#11416) --- Emby.Server.Implementations/Data/SqliteItemRepository.cs | 14 +++++++++++++- Jellyfin.Api/Controllers/ItemsController.cs | 7 +++++++ MediaBrowser.Controller/Entities/BaseItem.cs | 2 +- 3 files changed, 21 insertions(+), 2 deletions(-) (limited to 'Jellyfin.Api/Controllers/ItemsController.cs') diff --git a/Emby.Server.Implementations/Data/SqliteItemRepository.cs b/Emby.Server.Implementations/Data/SqliteItemRepository.cs index 0a8a36ebc..e3015095c 100644 --- a/Emby.Server.Implementations/Data/SqliteItemRepository.cs +++ b/Emby.Server.Implementations/Data/SqliteItemRepository.cs @@ -4202,7 +4202,19 @@ namespace Emby.Server.Implementations.Data { int index = 0; string includedTags = string.Join(',', query.IncludeInheritedTags.Select(_ => paramName + index++)); - whereClauses.Add("((select CleanValue from ItemValues where ItemId=Guid and Type=6 and cleanvalue in (" + includedTags + ")) is not null)"); + // Episodes do not store inherit tags from their parents in the database, and the tag may be still required by the client. + // In addtion to the tags for the episodes themselves, we need to manually query its parent (the season)'s tags as well. + if (includeTypes.Length == 1 && includeTypes.FirstOrDefault() is BaseItemKind.Episode) + { + whereClauses.Add($""" + ((select CleanValue from ItemValues where ItemId=Guid and Type=6 and CleanValue in ({includedTags})) is not null + OR (select CleanValue from ItemValues where ItemId=ParentId and Type=6 and CleanValue in ({includedTags})) is not null) + """); + } + else + { + whereClauses.Add("((select CleanValue from ItemValues where ItemId=Guid and Type=6 and cleanvalue in (" + includedTags + ")) is not null)"); + } } else { diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs index 6ffe6e7da..70f805336 100644 --- a/Jellyfin.Api/Controllers/ItemsController.cs +++ b/Jellyfin.Api/Controllers/ItemsController.cs @@ -256,6 +256,13 @@ public class ItemsController : BaseJellyfinApiController return BadRequest("userId is required"); } + if (user is not null + && user.GetPreference(PreferenceKind.AllowedTags).Length != 0 + && !fields.Contains(ItemFields.Tags)) + { + fields = [..fields, ItemFields.Tags]; + } + var dtoOptions = new DtoOptions { Fields = fields } .AddClientFields(User) .AddAdditionalDtoOptions(enableImages, enableUserData, imageTypeLimit, enableImageTypes); diff --git a/MediaBrowser.Controller/Entities/BaseItem.cs b/MediaBrowser.Controller/Entities/BaseItem.cs index adbbbaa03..6c9097689 100644 --- a/MediaBrowser.Controller/Entities/BaseItem.cs +++ b/MediaBrowser.Controller/Entities/BaseItem.cs @@ -1610,7 +1610,7 @@ namespace MediaBrowser.Controller.Entities } var parent = GetParents().FirstOrDefault() ?? this; - if (parent is UserRootFolder) + if (parent is UserRootFolder or AggregateFolder) { return true; } -- cgit v1.2.3 From 1accfd79da399b80aeed4aba2fb32cd90bd8673b Mon Sep 17 00:00:00 2001 From: Cody Robibero Date: Wed, 1 May 2024 06:42:01 -0600 Subject: Always attempt to get User if a user id is provided (#11471) --- Jellyfin.Api/Controllers/ItemsController.cs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'Jellyfin.Api/Controllers/ItemsController.cs') diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs index 70f805336..cd4a0a23b 100644 --- a/Jellyfin.Api/Controllers/ItemsController.cs +++ b/Jellyfin.Api/Controllers/ItemsController.cs @@ -246,9 +246,9 @@ public class ItemsController : BaseJellyfinApiController var isApiKey = User.GetIsApiKey(); // if api key is used (auth.IsApiKey == true), then `user` will be null throughout this method userId = RequestHelpers.GetUserId(User, userId); - var user = !isApiKey && !userId.IsNullOrEmpty() - ? _userManager.GetUserById(userId.Value) ?? throw new ResourceNotFoundException() - : null; + var user = userId.IsNullOrEmpty() + ? null + : _userManager.GetUserById(userId.Value) ?? throw new ResourceNotFoundException(); // beyond this point, we're either using an api key or we have a valid user if (!isApiKey && user is null) -- cgit v1.2.3 From 69e0ed42eaff9731d2554d121e73810526172bb8 Mon Sep 17 00:00:00 2001 From: Niels van Velzen Date: Fri, 7 Jun 2024 22:30:40 +0200 Subject: Support filter by index number in ItemsController --- Jellyfin.Api/Controllers/ItemsController.cs | 4 ++++ Jellyfin.Api/Controllers/TrailersController.cs | 1 + 2 files changed, 5 insertions(+) (limited to 'Jellyfin.Api/Controllers/ItemsController.cs') diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs index cd4a0a23b..d33634412 100644 --- a/Jellyfin.Api/Controllers/ItemsController.cs +++ b/Jellyfin.Api/Controllers/ItemsController.cs @@ -76,6 +76,7 @@ public class ItemsController : BaseJellyfinApiController /// Optional filter by items with special features. /// Optional filter by items with trailers. /// Optional. Return items that are siblings of a supplied item. + /// Optional filter by index number. /// Optional filter by parent index number. /// Optional filter by items that have or do not have a parental rating. /// Optional filter by items that are HD or not. @@ -165,6 +166,7 @@ public class ItemsController : BaseJellyfinApiController [FromQuery] bool? hasSpecialFeature, [FromQuery] bool? hasTrailer, [FromQuery] Guid? adjacentTo, + [FromQuery] int? indexNumber, [FromQuery] int? parentIndexNumber, [FromQuery] bool? hasParentalRating, [FromQuery] bool? isHd, @@ -366,6 +368,7 @@ public class ItemsController : BaseJellyfinApiController MinCommunityRating = minCommunityRating, MinCriticRating = minCriticRating, ParentId = parentId ?? Guid.Empty, + IndexNumber = indexNumber, ParentIndexNumber = parentIndexNumber, EnableTotalRecordCount = enableTotalRecordCount, ExcludeItemIds = excludeItemIds, @@ -717,6 +720,7 @@ public class ItemsController : BaseJellyfinApiController hasSpecialFeature, hasTrailer, adjacentTo, + null, parentIndexNumber, hasParentalRating, isHd, diff --git a/Jellyfin.Api/Controllers/TrailersController.cs b/Jellyfin.Api/Controllers/TrailersController.cs index 4fbaafa2a..d7d0cc454 100644 --- a/Jellyfin.Api/Controllers/TrailersController.cs +++ b/Jellyfin.Api/Controllers/TrailersController.cs @@ -215,6 +215,7 @@ public class TrailersController : BaseJellyfinApiController hasSpecialFeature, hasTrailer, adjacentTo, + null, parentIndexNumber, hasParentalRating, isHd, -- cgit v1.2.3