add "user canDelete" check to api delete subtitle endpoint

jellyfin · May 17, 2024 · b8a3747 · b8a3747
1 parent e42e8fe
commit b8a3747
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/Jellyfin.Api/Controllers/SubtitleController.cs b/Jellyfin.Api/Controllers/SubtitleController.cs
@@ -12,8 +12,8 @@
 using System.Threading.Tasks;
 using Jellyfin.Api.Attributes;
 using Jellyfin.Api.Extensions;
-using Jellyfin.Api.Helpers;
 using Jellyfin.Api.Models.SubtitleDtos;
+using Jellyfin.Extensions;
 using MediaBrowser.Common.Api;
 using MediaBrowser.Common.Configuration;
 using MediaBrowser.Controller.Configuration;
@@ -44,6 +44,7 @@ public class SubtitleController : BaseJellyfinApiController
     private readonly ILibraryManager _libraryManager;
     private readonly ISubtitleManager _subtitleManager;
     private readonly ISubtitleEncoder _subtitleEncoder;
+    private readonly IUserManager _userManager;
     private readonly IMediaSourceManager _mediaSourceManager;
     private readonly IProviderManager _providerManager;
     private readonly IFileSystem _fileSystem;
@@ -54,6 +55,7 @@ public class SubtitleController : BaseJellyfinApiController
     /// </summary>
     /// <param name="serverConfigurationManager">Instance of <see cref="IServerConfigurationManager"/> interface.</param>
     /// <param name="libraryManager">Instance of <see cref="ILibraryManager"/> interface.</param>
+    /// <param name="userManager">Instance of the <see cref="IUserManager"/> interface.</param>
     /// <param name="subtitleManager">Instance of <see cref="ISubtitleManager"/> interface.</param>
     /// <param name="subtitleEncoder">Instance of <see cref="ISubtitleEncoder"/> interface.</param>
     /// <param name="mediaSourceManager">Instance of <see cref="IMediaSourceManager"/> interface.</param>
@@ -63,6 +65,7 @@ public class SubtitleController : BaseJellyfinApiController
     public SubtitleController(
         IServerConfigurationManager serverConfigurationManager,
         ILibraryManager libraryManager,
+        IUserManager userManager,
         ISubtitleManager subtitleManager,
         ISubtitleEncoder subtitleEncoder,
         IMediaSourceManager mediaSourceManager,
@@ -72,6 +75,7 @@ public SubtitleController(
     {
         _serverConfigurationManager = serverConfigurationManager;
         _libraryManager = libraryManager;
+        _userManager = userManager;
         _subtitleManager = subtitleManager;
         _subtitleEncoder = subtitleEncoder;
         _mediaSourceManager = mediaSourceManager;
@@ -96,12 +100,28 @@ public async Task<ActionResult> DeleteSubtitle(
         [FromRoute, Required] Guid itemId,
         [FromRoute, Required] int index)
     {
+        var userId = User.GetUserId();
+        var isApiKey = User.GetIsApiKey();
+        var user = userId.IsEmpty() && isApiKey
+            ? null
+            : _userManager.GetUserById(userId);
+
+        if (user is null && !isApiKey)
+        {
+            return NotFound();
+        }
+
         var item = _libraryManager.GetItemById<BaseItem>(itemId, User.GetUserId());
         if (item is null)
         {
             return NotFound();
         }
 
+        if (user is not null && !item.CanDelete(user))
+        {
+            return Unauthorized("Unauthorized access");
+        }
+
         await _subtitleManager.DeleteSubtitles(item, index).ConfigureAwait(false);
         return NoContent();
     }