pt
/
jellyfin
mirror of https://github.com/jellyfin/jellyfin.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added access validation to view item user data.

This commit is contained in:
ArabCoders 2023-11-13 15:55:12 +03:00
parent 2a25c5a2e3
commit faa036aa7b
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Jellyfin.Api/Controllers/ItemsController.cs
View File

@ -902,6 +902,11 @@ public class ItemsController : BaseJellyfinApiController
[FromRoute, Required] Guid userId,
[FromRoute, Required] Guid itemId)
{
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, userId, true))
{
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
}
var user = _userManager.GetUserById(userId) ?? throw new ResourceNotFoundException();
var item = _libraryManager.GetItemById(itemId);