fix: Correct variable name for playlist visibility checks and enhance permission handling in playlistsVideos endpoint

Daniel Neto · Daniel Neto · commit bb716fbece65 · 2026-03-24T09:19:43.000-03:00
https://github.com/WWBN/AVideo/security/advisories/GHSA-75qq-68m8-pvfr#event-592247
diff --git a/objects/playlist.php b/objects/playlist.php
@@ -1198,16 +1198,16 @@ public static function canSee($playlist_id, $users_id)
     {
         global $playListCanSee;
         $index = "$playlist_id, $users_id";
-        if (isset($playListCanSe[$index])) {
-            return $playListCanSe[$index];
+        if (isset($playListCanSee[$index])) {
+            return $playListCanSee[$index];
         }
-        $playListCanSe[$index] = true;
+        $playListCanSee[$index] = true;
         $obj = new PlayList($playlist_id);
         $status = $obj->getStatus();
         if ($status !== 'public' && $status !== 'unlisted' && $users_id !== $obj->getUsers_id()) {
-            $playListCanSe[$index] = false;
+            $playListCanSee[$index] = false;
         }
-        return $playListCanSe[$index];
+        return $playListCanSee[$index];
     }
 
     public static function getEPG()
diff --git a/objects/playlistsVideos.json.php b/objects/playlistsVideos.json.php
@@ -25,7 +25,12 @@
     die('Play List can not be empty');
 }
 require_once './playlist.php';
-$videos = PlayList::getVideosFromPlaylist($_REQUEST['playlists_id']);
+$_playlists_id = (int)$_REQUEST['playlists_id'];
+if (!PlayList::canSee($_playlists_id, User::getId())) {
+    http_response_code(403);
+    die(json_encode(['error' => 'You do not have permission to view this playlist']));
+}
+$videos = PlayList::getVideosFromPlaylist($_playlists_id);
 $objMob = AVideoPlugin::getObjectData("MobileManager");
 $index = 0;
 foreach ($videos as $key => $value) {
@@ -37,8 +42,8 @@
     $videos[$key]['imageClass'] = !empty($objMob->portraitImage) ? "portrait" : "landscape";
     $videos[$key]['VideoUrl'] = getVideosURL($videos[$key]['filename']);
     $videos[$key]['createdHumanTiming'] = humanTiming(strtotime($videos[$key]['created']));
-    $videos[$key]['pageUrl'] =  PlayLists::getLink($_REQUEST['playlists_id'], false, $index);
-    $videos[$key]['embedUrl'] = PlayLists::getLink($_REQUEST['playlists_id'], true, $index);
+    $videos[$key]['pageUrl'] =  PlayLists::getLink($_playlists_id, false, $index);
+    $videos[$key]['embedUrl'] = PlayLists::getLink($_playlists_id, true, $index);
     unset($_REQUEST['sort'], $_REQUEST['current'], $_REQUEST['searchPhrase']);
     $_REQUEST['rowCount'] = 10;
     $_REQUEST['sort']['created'] = "desc";

Original file line number	Diff line number	Diff line change
`@@ -1198,16 +1198,16 @@ public static function canSee($playlist_id, $users_id)`
`1198`	`1198`	`{`
`1199`	`1199`	`global $playListCanSee;`
`1200`	`1200`	`$index = "$playlist_id, $users_id";`
`1201`		`- if (isset($playListCanSe[$index])) {`
`1202`		`- return $playListCanSe[$index];`
	`1201`	`+ if (isset($playListCanSee[$index])) {`
	`1202`	`+ return $playListCanSee[$index];`
`1203`	`1203`	`}`
`1204`		`- $playListCanSe[$index] = true;`
	`1204`	`+ $playListCanSee[$index] = true;`
`1205`	`1205`	`$obj = new PlayList($playlist_id);`
`1206`	`1206`	`$status = $obj->getStatus();`
`1207`	`1207`	`if ($status !== 'public' && $status !== 'unlisted' && $users_id !== $obj->getUsers_id()) {`
`1208`		`- $playListCanSe[$index] = false;`
	`1208`	`+ $playListCanSee[$index] = false;`
`1209`	`1209`	`}`
`1210`		`- return $playListCanSe[$index];`
	`1210`	`+ return $playListCanSee[$index];`
`1211`	`1211`	`}`
`1212`	`1212`
`1213`	`1213`	`public static function getEPG()`