Merge pull request #3187 from jellyfin/revert-2492-fix-api-private-data-leak

Revert "Fix emby/user/public API leaking sensitive data"
author: Joshua M. Boniface <joshua@boniface.me> 2020-05-26 19:57:24 -0400
committer: GitHub <noreply@github.com> 2020-05-26 19:57:24 -0400
commit: b33fa06efa1c7bf334bc0bcf7e845d86dffe12da (patch)
tree: 9b70050001a0da905de5018a4cfafe827021d89d
parent: 9c00226f11ee6d99e3e8f83a3a531e70d743e6ba (diff)
parent: 0be3dfe7c53d8c3bb43c28ea02c8a594bcb903b2 (diff)
4 files changed, 11 insertions, 108 deletions
diff --git a/Emby.Server.Implementations/Library/UserManager.cs b/Emby.Server.Implementations/Library/UserManager.cs
index b8feb5535..d63bc6bda 100644
--- a/Emby.Server.Implementations/Library/UserManager.cs
+++ b/Emby.Server.Implementations/Library/UserManager.cs
@@ -608,31 +608,6 @@ namespace Emby.Server.Implementations.Library
             return dto;
         }
 
-        public PublicUserDto GetPublicUserDto(User user, string remoteEndPoint = null)
-        {
-            if (user == null)
-            {
-                throw new ArgumentNullException(nameof(user));
-            }
-
-            IAuthenticationProvider authenticationProvider = GetAuthenticationProvider(user);
-            bool hasConfiguredPassword = authenticationProvider.HasPassword(user);
-            bool hasConfiguredEasyPassword = !string.IsNullOrEmpty(authenticationProvider.GetEasyPasswordHash(user));
-
-            bool hasPassword = user.Configuration.EnableLocalPassword &&
-                !string.IsNullOrEmpty(remoteEndPoint) &&
-                _networkManager.IsInLocalNetwork(remoteEndPoint) ? hasConfiguredEasyPassword : hasConfiguredPassword;
-
-            PublicUserDto dto = new PublicUserDto
-            {
-                Name = user.Name,
-                HasPassword = hasPassword,
-                HasConfiguredPassword = hasConfiguredPassword,
-            };
-
-            return dto;
-        }
-
         public UserDto GetOfflineUserDto(User user)
         {
             var dto = GetUserDto(user);
diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index 7d4d5fcf9..78fc6c694 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -35,7 +35,7 @@ namespace MediaBrowser.Api
     }
 
     [Route("/Users/Public", "GET", Summary = "Gets a list of publicly visible users for display on a login screen.")]
-    public class GetPublicUsers : IReturn<PublicUserDto[]>
+    public class GetPublicUsers : IReturn<UserDto[]>
     {
     }
 
@@ -266,38 +266,22 @@ namespace MediaBrowser.Api
             _authContext = authContext;
         }
 
-        /// <summary>
-        /// Gets the public available Users information
-        /// </summary>
-        /// <param name="request">The request.</param>
-        /// <returns>System.Object.</returns>
         public object Get(GetPublicUsers request)
         {
-            var result = _userManager
-                .Users
-                .Where(item => !item.Policy.IsDisabled);
-
-            if (ServerConfigurationManager.Configuration.IsStartupWizardCompleted)
+            // If the startup wizard hasn't been completed then just return all users
+            if (!ServerConfigurationManager.Configuration.IsStartupWizardCompleted)
             {
-                var deviceId = _authContext.GetAuthorizationInfo(Request).DeviceId;
-                result = result.Where(item => !item.Policy.IsHidden);
-
-                if (!string.IsNullOrWhiteSpace(deviceId))
+                return Get(new GetUsers
                 {
-                    result = result.Where(i => _deviceManager.CanAccessDevice(i, deviceId));
-                }
-
-                if (!_networkManager.IsInLocalNetwork(Request.RemoteIp))
-                {
-                    result = result.Where(i => i.Policy.EnableRemoteAccess);
-                }
+                    IsDisabled = false
+                });
             }
 
-            return ToOptimizedResult(result
-                    .OrderBy(u => u.Name)
-                    .Select(i => _userManager.GetPublicUserDto(i, Request.RemoteIp))
-                    .ToArray()
-                );
+            return Get(new GetUsers
+            {
+                IsHidden = false,
+                IsDisabled = false
+            }, true, true);
         }
 
         /// <summary>
diff --git a/MediaBrowser.Controller/Library/IUserManager.cs b/MediaBrowser.Controller/Library/IUserManager.cs
index ec6cb35eb..be7b4ce59 100644
--- a/MediaBrowser.Controller/Library/IUserManager.cs
+++ b/MediaBrowser.Controller/Library/IUserManager.cs
@@ -144,14 +144,6 @@ namespace MediaBrowser.Controller.Library
         UserDto GetUserDto(User user, string remoteEndPoint = null);
 
         /// <summary>
-        /// Gets the user public dto.
-        /// </summary>
-        /// <param name="user">Ther user.</param>\
-        /// <param name="remoteEndPoint">The remote end point.</param>
-        /// <returns>A public UserDto, aka a UserDto stripped of personal data.</returns>
-        PublicUserDto GetPublicUserDto(User user, string remoteEndPoint = null);
-
-        /// <summary>
         /// Authenticates the user.
         /// </summary>
         Task<User> AuthenticateUser(string username, string password, string passwordSha1, string remoteEndPoint, bool isUserSession);
diff --git a/MediaBrowser.Model/Dto/PublicUserDto.cs b/MediaBrowser.Model/Dto/PublicUserDto.cs
deleted file mode 100644
index b6bfaf2e9..000000000
--- a/MediaBrowser.Model/Dto/PublicUserDto.cs
+++ /dev/null
@@ -1,48 +0,0 @@
-using System;
-
-namespace MediaBrowser.Model.Dto
-{
-    /// <summary>
-    /// Class PublicUserDto. Its goal is to show only public information about a user
-    /// </summary>
-    public class PublicUserDto : IItemDto
-    {
-        /// <summary>
-        /// Gets or sets the name.
-        /// </summary>
-        /// <value>The name.</value>
-        public string Name { get; set; }
-
-        /// <summary>
-        /// Gets or sets the primary image tag.
-        /// </summary>
-        /// <value>The primary image tag.</value>
-        public string PrimaryImageTag { get; set; }
-
-        /// <summary>
-        /// Gets or sets a value indicating whether this instance has password.
-        /// </summary>
-        /// <value><c>true</c> if this instance has password; otherwise, <c>false</c>.</value>
-        public bool HasPassword { get; set; }
-
-        /// <summary>
-        /// Gets or sets a value indicating whether this instance has configured password.
-        /// Note that in this case this method should not be here, but it is necessary when changing password at the
-        /// first login.
-        /// </summary>
-        /// <value><c>true</c> if this instance has configured password; otherwise, <c>false</c>.</value>
-        public bool HasConfiguredPassword { get; set; }
-
-        /// <summary>
-        /// Gets or sets the primary image aspect ratio.
-        /// </summary>
-        /// <value>The primary image aspect ratio.</value>
-        public double? PrimaryImageAspectRatio { get; set; }
-
-        /// <inheritdoc />
-        public override string ToString()
-        {
-            return Name ?? base.ToString();
-        }
-    }
-}
author	Joshua M. Boniface <joshua@boniface.me>	2020-05-26 19:57:24 -0400
committer	GitHub <noreply@github.com>	2020-05-26 19:57:24 -0400
commit	b33fa06efa1c7bf334bc0bcf7e845d86dffe12da (patch)
tree	9b70050001a0da905de5018a4cfafe827021d89d
parent	9c00226f11ee6d99e3e8f83a3a531e70d743e6ba (diff)
parent	0be3dfe7c53d8c3bb43c28ea02c8a594bcb903b2 (diff)