Added access validation to view item user data.

2023-11-13 15:55:12 +03:00 · 2023-11-13 15:55:12 +03:00 · faa036aa7b
commit faa036aa7b
parent 2a25c5a2e3
1 changed files with 5 additions and 0 deletions
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@ -902,6 +902,11 @@ public class ItemsController : BaseJellyfinApiController
        [FromRoute, Required] Guid userId,
        [FromRoute, Required] Guid itemId)
    {
+        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, userId, true))
+        {
+            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
+        }
+
        var user = _userManager.GetUserById(userId) ?? throw new ResourceNotFoundException();
        var item = _libraryManager.GetItemById(itemId);