starred/jellyfin-jellyfin-1
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-12-16 22:13:06 +03:00
Code Issues Packages Projects Releases Wiki Activity

Validate item access (#11171)

Browse Source
This commit is contained in:
Cody Robibero
2024-04-14 08:18:36 -06:00
committed by GitHub
parent 9a4db80085
commit 6fb6b5f176
28 changed files with 422 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
Jellyfin.Api/Controllers/LyricsController.cs
View File

@@ -7,6 +7,7 @@ using System.Threading;
using System.Threading.Tasks;
using Jellyfin.Api.Attributes;
using Jellyfin.Api.Extensions;
using Jellyfin.Api.Helpers;
using Jellyfin.Extensions;
using MediaBrowser.Common.Api;
using MediaBrowser.Controller.Entities.Audio;
@@ -66,37 +67,16 @@ public class LyricsController : BaseJellyfinApiController
[HttpGet("Audio/{itemId}/Lyrics")]
[Authorize]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<LyricDto>> GetLyrics([FromRoute, Required] Guid itemId)
{
var isApiKey = User.GetIsApiKey();
var userId = User.GetUserId();
if (!isApiKey && userId.IsEmpty())
{
return BadRequest();
}
var audio = _libraryManager.GetItemById<Audio>(itemId);
if (audio is null)
var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
if (item is null)
{
return NotFound();
}
if (!isApiKey)
{
var user = _userManager.GetUserById(userId);
if (user is null)
{
return NotFound();
}
// Check the item is visible for the user
if (!audio.IsVisible(user))
{
return Unauthorized($"{user.Username} is not permitted to access item {audio.Name}.");
}
}
var result = await _lyricManager.GetLyricsAsync(audio, CancellationToken.None).ConfigureAwait(false);
var result = await _lyricManager.GetLyricsAsync(item, CancellationToken.None).ConfigureAwait(false);
if (result is not null)
{
return Ok(result);
@@ -124,8 +104,8 @@ public class LyricsController : BaseJellyfinApiController
[FromRoute, Required] Guid itemId,
[FromQuery, Required] string fileName)
{
var audio = _libraryManager.GetItemById<Audio>(itemId);
if (audio is null)
var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
if (item is null)
{
return NotFound();
}
@@ -147,7 +127,7 @@ public class LyricsController : BaseJellyfinApiController
{
await Request.Body.CopyToAsync(stream).ConfigureAwait(false);
var uploadedLyric = await _lyricManager.SaveLyricAsync(
audio,
item,
format,
stream)
.ConfigureAwait(false);
@@ -157,7 +137,7 @@ public class LyricsController : BaseJellyfinApiController
return BadRequest();
}
_providerManager.QueueRefresh(audio.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
_providerManager.QueueRefresh(item.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
return Ok(uploadedLyric);
}
}
@@ -176,13 +156,13 @@ public class LyricsController : BaseJellyfinApiController
public async Task<ActionResult> DeleteLyrics(
[FromRoute, Required] Guid itemId)
{
var audio = _libraryManager.GetItemById<Audio>(itemId);
if (audio is null)
var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
if (item is null)
{
return NotFound();
}
await _lyricManager.DeleteLyricsAsync(audio).ConfigureAwait(false);
await _lyricManager.DeleteLyricsAsync(item).ConfigureAwait(false);
return NoContent();
}
@@ -199,13 +179,13 @@ public class LyricsController : BaseJellyfinApiController
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult<IReadOnlyList<RemoteLyricInfoDto>>> SearchRemoteLyrics([FromRoute, Required] Guid itemId)
{
var audio = _libraryManager.GetItemById<Audio>(itemId);
if (audio is null)
var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
if (item is null)
{
return NotFound();
}
var results = await _lyricManager.SearchLyricsAsync(audio, false, CancellationToken.None).ConfigureAwait(false);
var results = await _lyricManager.SearchLyricsAsync(item, false, CancellationToken.None).ConfigureAwait(false);
return Ok(results);
}
@@ -225,19 +205,19 @@ public class LyricsController : BaseJellyfinApiController
[FromRoute, Required] Guid itemId,
[FromRoute, Required] string lyricId)
{
var audio = _libraryManager.GetItemById<Audio>(itemId);
if (audio is null)
var item = _libraryManager.GetItemById<Audio>(itemId, User.GetUserId());
if (item is null)
{
return NotFound();
}
var downloadedLyrics = await _lyricManager.DownloadLyricsAsync(audio, lyricId, CancellationToken.None).ConfigureAwait(false);
var downloadedLyrics = await _lyricManager.DownloadLyricsAsync(item, lyricId, CancellationToken.None).ConfigureAwait(false);
if (downloadedLyrics is null)
{
return NotFound();
}
_providerManager.QueueRefresh(audio.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
_providerManager.QueueRefresh(item.Id, new MetadataRefreshOptions(new DirectoryService(_fileSystem)), RefreshPriority.High);
return Ok(downloadedLyrics);
}