From 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 Mon Sep 17 00:00:00 2001
From: Cody Robibero <cody@robibe.ro>
Date: Sun, 14 Apr 2024 08:18:36 -0600
Subject: Validate item access (#11171)

---
 Jellyfin.Api/Controllers/ItemsController.cs | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'Jellyfin.Api/Controllers/ItemsController.cs')

diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 26ae1a820..6ffe6e7da 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -967,9 +967,13 @@ public class ItemsController : BaseJellyfinApiController
         }
 
         var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
-        var item = _libraryManager.GetItemById(itemId);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
+        if (item is null)
+        {
+            return NotFound();
+        }
 
-        return (item == null) ? NotFound() : _userDataRepository.GetUserDataDto(item, user);
+        return _userDataRepository.GetUserDataDto(item, user);
     }
 
     /// <summary>
@@ -1014,8 +1018,8 @@ public class ItemsController : BaseJellyfinApiController
         }
 
         var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
-        var item = _libraryManager.GetItemById(itemId);
-        if (item == null)
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
+        if (item is null)
         {
             return NotFound();
         }
-- 
cgit v1.2.3