From 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 Mon Sep 17 00:00:00 2001
From: Cody Robibero <cody@robibe.ro>
Date: Sun, 14 Apr 2024 08:18:36 -0600
Subject: Validate item access (#11171)

---
 Jellyfin.Api/Controllers/PlaylistsController.cs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'Jellyfin.Api/Controllers/PlaylistsController.cs')

diff --git a/Jellyfin.Api/Controllers/PlaylistsController.cs b/Jellyfin.Api/Controllers/PlaylistsController.cs
index 1100f85cf..abf94a32f 100644
--- a/Jellyfin.Api/Controllers/PlaylistsController.cs
+++ b/Jellyfin.Api/Controllers/PlaylistsController.cs
@@ -482,8 +482,13 @@ public class PlaylistsController : BaseJellyfinApiController
         var user = userId.IsNullOrEmpty()
             ? null
             : _userManager.GetUserById(userId.Value);
+        var item = _libraryManager.GetItemById<Playlist>(playlistId, user);
+        if (item is null)
+        {
+            return NotFound();
+        }
 
-        var items = playlist.GetManageableItems().ToArray();
+        var items = item.GetManageableItems().ToArray();
         var count = items.Length;
         if (startIndex.HasValue)
         {
-- 
cgit v1.2.3