Validate requested user id (#8812)

2025-12-16 05:53:03 +03:00 · 2023-02-17 15:16:08 -07:00
parent 9979b346ea
commit a527034ebe
24 changed files with 232 additions and 70 deletions
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -240,7 +240,8 @@ public class ItemsController : BaseJellyfinApiController
    {
        var isApiKey = User.GetIsApiKey();
        // if api key is used (auth.IsApiKey == true), then `user` will be null throughout this method
-        var user = !isApiKey && userId.HasValue && !userId.Value.Equals(default)
+        userId = RequestHelpers.GetUserId(User, userId);
+        var user = !isApiKey && !userId.Value.Equals(default)
            ? _userManager.GetUserById(userId.Value) ?? throw new ResourceNotFoundException()
            : null;