mirror of
https://github.com/jellyfin/jellyfin.git
synced 2024-07-09 07:10:34 +02:00
Added access validation to view item user data.
This commit is contained in:
parent
2a25c5a2e3
commit
faa036aa7b
|
@ -902,6 +902,11 @@ public class ItemsController : BaseJellyfinApiController
|
||||||
[FromRoute, Required] Guid userId,
|
[FromRoute, Required] Guid userId,
|
||||||
[FromRoute, Required] Guid itemId)
|
[FromRoute, Required] Guid itemId)
|
||||||
{
|
{
|
||||||
|
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, userId, true))
|
||||||
|
{
|
||||||
|
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
|
||||||
|
}
|
||||||
|
|
||||||
var user = _userManager.GetUserById(userId) ?? throw new ResourceNotFoundException();
|
var user = _userManager.GetUserById(userId) ?? throw new ResourceNotFoundException();
|
||||||
var item = _libraryManager.GetItemById(itemId);
|
var item = _libraryManager.GetItemById(itemId);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue