From 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 Mon Sep 17 00:00:00 2001 From: Cody Robibero Date: Sun, 14 Apr 2024 08:18:36 -0600 Subject: Validate item access (#11171) --- Jellyfin.Api/Controllers/PlaystateController.cs | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) (limited to 'Jellyfin.Api/Controllers/PlaystateController.cs') diff --git a/Jellyfin.Api/Controllers/PlaystateController.cs b/Jellyfin.Api/Controllers/PlaystateController.cs index 949d101dc..9d6d75681 100644 --- a/Jellyfin.Api/Controllers/PlaystateController.cs +++ b/Jellyfin.Api/Controllers/PlaystateController.cs @@ -6,6 +6,7 @@ using Jellyfin.Api.Extensions; using Jellyfin.Api.Helpers; using Jellyfin.Api.ModelBinders; using Jellyfin.Data.Entities; +using Jellyfin.Extensions; using MediaBrowser.Controller.Entities; using MediaBrowser.Controller.Library; using MediaBrowser.Controller.MediaEncoding; @@ -76,21 +77,21 @@ public class PlaystateController : BaseJellyfinApiController [FromRoute, Required] Guid itemId, [FromQuery, ModelBinder(typeof(LegacyDateTimeModelBinder))] DateTime? datePlayed) { - var requestUserId = RequestHelpers.GetUserId(User, userId); - var user = _userManager.GetUserById(requestUserId); + userId = RequestHelpers.GetUserId(User, userId); + var user = _userManager.GetUserById(userId.Value); if (user is null) { return NotFound(); } - var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false); - - var item = _libraryManager.GetItemById(itemId); + var item = _libraryManager.GetItemById(itemId, user); if (item is null) { return NotFound(); } + var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false); + var dto = UpdatePlayedStatus(user, item, true, datePlayed); foreach (var additionalUserInfo in session.AdditionalUsers) { @@ -141,21 +142,21 @@ public class PlaystateController : BaseJellyfinApiController [FromQuery] Guid? userId, [FromRoute, Required] Guid itemId) { - var requestUserId = RequestHelpers.GetUserId(User, userId); - var user = _userManager.GetUserById(requestUserId); + userId = RequestHelpers.GetUserId(User, userId); + var user = _userManager.GetUserById(userId.Value); if (user is null) { return NotFound(); } - var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false); - var item = _libraryManager.GetItemById(itemId); - + var item = _libraryManager.GetItemById(itemId, user); if (item is null) { return NotFound(); } + var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false); + var dto = UpdatePlayedStatus(user, item, false, null); foreach (var additionalUserInfo in session.AdditionalUsers) { -- cgit v1.2.3 From 8c583bbe3709d59f59801053912aa8cb1dbd9367 Mon Sep 17 00:00:00 2001 From: gnattu Date: Tue, 7 May 2024 23:43:54 +0800 Subject: Allow explicitly set userId for RequestHelpers.GetSession (#11505) --- Jellyfin.Api/Controllers/PlaystateController.cs | 4 ++-- Jellyfin.Api/Helpers/RequestHelpers.cs | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'Jellyfin.Api/Controllers/PlaystateController.cs') diff --git a/Jellyfin.Api/Controllers/PlaystateController.cs b/Jellyfin.Api/Controllers/PlaystateController.cs index 9d6d75681..88aa0178f 100644 --- a/Jellyfin.Api/Controllers/PlaystateController.cs +++ b/Jellyfin.Api/Controllers/PlaystateController.cs @@ -90,7 +90,7 @@ public class PlaystateController : BaseJellyfinApiController return NotFound(); } - var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false); + var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext, userId).ConfigureAwait(false); var dto = UpdatePlayedStatus(user, item, true, datePlayed); foreach (var additionalUserInfo in session.AdditionalUsers) @@ -155,7 +155,7 @@ public class PlaystateController : BaseJellyfinApiController return NotFound(); } - var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext).ConfigureAwait(false); + var session = await RequestHelpers.GetSession(_sessionManager, _userManager, HttpContext, userId).ConfigureAwait(false); var dto = UpdatePlayedStatus(user, item, false, null); foreach (var additionalUserInfo in session.AdditionalUsers) diff --git a/Jellyfin.Api/Helpers/RequestHelpers.cs b/Jellyfin.Api/Helpers/RequestHelpers.cs index 429e97213..b607e9104 100644 --- a/Jellyfin.Api/Helpers/RequestHelpers.cs +++ b/Jellyfin.Api/Helpers/RequestHelpers.cs @@ -117,10 +117,10 @@ public static class RequestHelpers return user.EnableUserPreferenceAccess; } - internal static async Task GetSession(ISessionManager sessionManager, IUserManager userManager, HttpContext httpContext) + internal static async Task GetSession(ISessionManager sessionManager, IUserManager userManager, HttpContext httpContext, Guid? userId = null) { - var userId = httpContext.User.GetUserId(); - var user = userManager.GetUserById(userId); + userId ??= httpContext.User.GetUserId(); + var user = userManager.GetUserById(userId.Value); var session = await sessionManager.LogSessionActivity( httpContext.User.GetClient(), httpContext.User.GetVersion(), -- cgit v1.2.3