From 6fb6b5f1766a1f37a61b9faaa40209bab995bf30 Mon Sep 17 00:00:00 2001
From: Cody Robibero <cody@robibe.ro>
Date: Sun, 14 Apr 2024 08:18:36 -0600
Subject: Validate item access (#11171)

---
 Jellyfin.Api/Controllers/VideoAttachmentsController.cs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'Jellyfin.Api/Controllers/VideoAttachmentsController.cs')

diff --git a/Jellyfin.Api/Controllers/VideoAttachmentsController.cs b/Jellyfin.Api/Controllers/VideoAttachmentsController.cs
index 23b9ba46f..b67c6fdb7 100644
--- a/Jellyfin.Api/Controllers/VideoAttachmentsController.cs
+++ b/Jellyfin.Api/Controllers/VideoAttachmentsController.cs
@@ -4,7 +4,10 @@ using System.Net.Mime;
 using System.Threading;
 using System.Threading.Tasks;
 using Jellyfin.Api.Attributes;
+using Jellyfin.Api.Extensions;
+using Jellyfin.Api.Helpers;
 using MediaBrowser.Common.Extensions;
+using MediaBrowser.Controller.Entities;
 using MediaBrowser.Controller.Library;
 using MediaBrowser.Controller.MediaEncoding;
 using Microsoft.AspNetCore.Http;
@@ -54,7 +57,7 @@ public class VideoAttachmentsController : BaseJellyfinApiController
     {
         try
         {
-            var item = _libraryManager.GetItemById(videoId);
+            var item = _libraryManager.GetItemById<BaseItem>(videoId, User.GetUserId());
             if (item is null)
             {
                 return NotFound();
-- 
cgit v1.2.3