Validate item access (#11171)

2025-12-14 04:53:02 +03:00 · 2024-04-14 08:18:36 -06:00
parent 9a4db80085
commit 6fb6b5f176
28 changed files with 422 additions and 289 deletions
--- a/Jellyfin.Api/Controllers/UniversalAudioController.cs
+++ b/Jellyfin.Api/Controllers/UniversalAudioController.cs
@@ -9,7 +9,9 @@ using Jellyfin.Api.Helpers;
 using Jellyfin.Api.ModelBinders;
 using Jellyfin.Api.Models.StreamingDtos;
 using Jellyfin.Data.Enums;
+using Jellyfin.Extensions;
 using MediaBrowser.Common.Extensions;
+using MediaBrowser.Controller.Entities;
 using MediaBrowser.Controller.Library;
 using MediaBrowser.Controller.MediaEncoding;
 using MediaBrowser.Controller.Streaming;
@@ -33,6 +35,7 @@ public class UniversalAudioController : BaseJellyfinApiController
    private readonly MediaInfoHelper _mediaInfoHelper;
    private readonly AudioHelper _audioHelper;
    private readonly DynamicHlsHelper _dynamicHlsHelper;
+    private readonly IUserManager _userManager;

    /// <summary>
    /// Initializes a new instance of the <see cref="UniversalAudioController"/> class.
@@ -42,18 +45,21 @@ public class UniversalAudioController : BaseJellyfinApiController
    /// <param name="mediaInfoHelper">Instance of <see cref="MediaInfoHelper"/>.</param>
    /// <param name="audioHelper">Instance of <see cref="AudioHelper"/>.</param>
    /// <param name="dynamicHlsHelper">Instance of <see cref="DynamicHlsHelper"/>.</param>
+    /// <param name="userManager">Instance of the <see cref="IUserManager"/> interface.</param>
    public UniversalAudioController(
        ILibraryManager libraryManager,
        ILogger<UniversalAudioController> logger,
        MediaInfoHelper mediaInfoHelper,
        AudioHelper audioHelper,
-        DynamicHlsHelper dynamicHlsHelper)
+        DynamicHlsHelper dynamicHlsHelper,
+        IUserManager userManager)
    {
        _libraryManager = libraryManager;
        _logger = logger;
        _mediaInfoHelper = mediaInfoHelper;
        _audioHelper = audioHelper;
        _dynamicHlsHelper = dynamicHlsHelper;
+        _userManager = userManager;
    }

    /// <summary>
@@ -79,12 +85,14 @@ public class UniversalAudioController : BaseJellyfinApiController
    /// <param name="enableRedirection">Whether to enable redirection. Defaults to true.</param>
    /// <response code="200">Audio stream returned.</response>
    /// <response code="302">Redirected to remote audio stream.</response>
+    /// <response code="404">Item not found.</response>
    /// <returns>A <see cref="Task"/> containing the audio file.</returns>
    [HttpGet("Audio/{itemId}/universal")]
    [HttpHead("Audio/{itemId}/universal", Name = "HeadUniversalAudioStream")]
    [Authorize]
    [ProducesResponseType(StatusCodes.Status200OK)]
    [ProducesResponseType(StatusCodes.Status302Found)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
    [ProducesAudioFile]
    public async Task<ActionResult> GetUniversalAudioStream(
        [FromRoute, Required] Guid itemId,
@@ -106,20 +114,27 @@ public class UniversalAudioController : BaseJellyfinApiController
        [FromQuery] bool breakOnNonKeyFrames = false,
        [FromQuery] bool enableRedirection = true)
    {
-        var deviceProfile = GetDeviceProfile(container, transcodingContainer, audioCodec, transcodingProtocol, breakOnNonKeyFrames, transcodingAudioChannels, maxAudioSampleRate, maxAudioBitDepth, maxAudioChannels);
        userId = RequestHelpers.GetUserId(User, userId);
+        var user = userId.IsNullOrEmpty()
+            ? null
+            : _userManager.GetUserById(userId.Value);
+        var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
+        if (item is null)
+        {
+            return NotFound();
+        }
+
+        var deviceProfile = GetDeviceProfile(container, transcodingContainer, audioCodec, transcodingProtocol, breakOnNonKeyFrames, transcodingAudioChannels, maxAudioSampleRate, maxAudioBitDepth, maxAudioChannels);

        _logger.LogInformation("GetPostedPlaybackInfo profile: {@Profile}", deviceProfile);

        var info = await _mediaInfoHelper.GetPlaybackInfo(
-                itemId,
-                userId,
+                item,
+                user,
                mediaSourceId)
            .ConfigureAwait(false);

        // set device specific data
-        var item = _libraryManager.GetItemById(itemId);
-
        foreach (var sourceInfo in info.MediaSources)
        {
            _mediaInfoHelper.SetDeviceSpecificData(