From 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 Mon Sep 17 00:00:00 2001
From: Cody Robibero <cody@robibe.ro>
Date: Sun, 14 Apr 2024 08:18:36 -0600
Subject: Validate item access (#11171)

---
 Jellyfin.Api/Controllers/LibraryStructureController.cs | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'Jellyfin.Api/Controllers/LibraryStructureController.cs')

diff --git a/Jellyfin.Api/Controllers/LibraryStructureController.cs b/Jellyfin.Api/Controllers/LibraryStructureController.cs
index 23c430f85..c1d01a5c2 100644
--- a/Jellyfin.Api/Controllers/LibraryStructureController.cs
+++ b/Jellyfin.Api/Controllers/LibraryStructureController.cs
@@ -6,6 +6,8 @@ using System.IO;
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
+using Jellyfin.Api.Extensions;
+using Jellyfin.Api.Helpers;
 using Jellyfin.Api.ModelBinders;
 using Jellyfin.Api.Models.LibraryStructureDto;
 using MediaBrowser.Common.Api;
@@ -311,15 +313,21 @@ public class LibraryStructureController : BaseJellyfinApiController
     /// </summary>
     /// <param name="request">The library name and options.</param>
     /// <response code="204">Library updated.</response>
+    /// <response code="404">Item not found.</response>
     /// <returns>A <see cref="NoContentResult"/>.</returns>
     [HttpPost("LibraryOptions")]
     [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
     public ActionResult UpdateLibraryOptions(
         [FromBody] UpdateLibraryOptionsDto request)
     {
-        var collectionFolder = (CollectionFolder)_libraryManager.GetItemById(request.Id);
+        var item = _libraryManager.GetItemById<CollectionFolder>(request.Id, User.GetUserId());
+        if (item is null)
+        {
+            return NotFound();
+        }
 
-        collectionFolder.UpdateLibraryOptions(request.LibraryOptions);
+        item.UpdateLibraryOptions(request.LibraryOptions);
         return NoContent();
     }
 }
-- 
cgit v1.2.3