fix: harden shared access checks for playlists and files

backend/app.js

@@ -928,7 +928,7 @@ const optionalJwt = async function (req, res, next) {
         const uuid = using_body ? req.body.uuid : req.query.uuid;
         const uid = using_body ? req.body.uid : req.query.uid;
         const playlist_id = using_body ? req.body.playlist_id : req.query.playlist_id;
-        const file = !playlist_id ? auth_api.getUserVideo(uuid, uid, true) : await files_api.getPlaylist(playlist_id, uuid, true);
+        const file = !playlist_id ? await auth_api.getUserVideo(uuid, uid, true) : await files_api.getPlaylist(playlist_id, uuid, true);
         if (file) {
             req.can_watch = true;
             return next();

backend/authentication/auth.js

@@ -482,7 +482,7 @@ exports.getUserPlaylist = async function(user_uid, playlistID, requireSharing =
   let playlist = await db_api.getRecord('playlists', filter_obj);
 
   // prevent unauthorized users from accessing the file info
-  if (requireSharing && !playlist['sharingEnabled']) playlist = null;
+  if (requireSharing && (!playlist || !playlist['sharingEnabled'])) playlist = null;
 
   return playlist;
 }

backend/files.js

@@ -194,7 +194,7 @@ exports.getPlaylist = async (playlist_id, user_uid = null, require_sharing = fal
     }
 
     // prevent unauthorized users from accessing the file info
-    if (require_sharing && !playlist['sharingEnabled']) return null;
+    if (require_sharing && (!playlist || !playlist['sharingEnabled'])) return null;
 
     return playlist;
 }