Backport pull request #11873 from jellyfin/release-10.9.z

Fix FirstTimeSetupHandler allowing public access Original-merge: 869dab2ba2900c18f9de817607e1b0d3681f8ac9 Merged-by: joshuaboniface <joshua@boniface.me> Backported-by: Joshua M. Boniface <joshua@boniface.me>
author: thornbill <thornbill@users.noreply.github.com> 2024-06-01 18:41:08 -0400
committer: Joshua M. Boniface <joshua@boniface.me> 2024-06-01 18:41:08 -0400
commit: dc2db22c3db983a3c787877e2e359d7bab4970d2 (patch)
tree: 2e0af5013c01d1b8c8f00e1fb949bf9f616fc2ed /Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
parent: 2599babe3100517368de8f0c2346dd98428a17a4 (diff)
1 files changed, 13 insertions, 5 deletions
diff --git a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
index 9b4e2182c..e425000cd 100644
--- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
+++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
@@ -1,5 +1,6 @@
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
+using Jellyfin.Api.Extensions;
 using MediaBrowser.Common.Configuration;
 using Microsoft.AspNetCore.Authorization;
 
@@ -24,24 +25,31 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
         /// <inheritdoc />
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, FirstTimeSetupRequirement requirement)
         {
+            // Succeed if the startup wizard / first time setup is not complete
             if (!_configurationManager.CommonConfiguration.IsStartupWizardCompleted)
             {
                 context.Succeed(requirement);
             }
-            else if (requirement.RequireAdmin && !context.User.IsInRole(UserRoles.Administrator))
+
+            // Succeed if user is admin
+            else if (context.User.IsInRole(UserRoles.Administrator))
             {
-                context.Fail();
+                context.Succeed(requirement);
             }
-            else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
+
+            // Fail if admin is required and user is not admin
+            else if (requirement.RequireAdmin)
             {
                 context.Fail();
             }
-            else
+
+            // Succeed if admin is not required and user is not guest
+            else if (context.User.IsInRole(UserRoles.User))
             {
-                // Any user-specific checks are handled in the DefaultAuthorizationHandler.
                 context.Succeed(requirement);
             }
 
+            // Any user-specific checks are handled in the DefaultAuthorizationHandler.
             return Task.CompletedTask;
         }
     }
author	thornbill <thornbill@users.noreply.github.com>	2024-06-01 18:41:08 -0400
committer	Joshua M. Boniface <joshua@boniface.me>	2024-06-01 18:41:08 -0400
commit	dc2db22c3db983a3c787877e2e359d7bab4970d2 (patch)
tree	2e0af5013c01d1b8c8f00e1fb949bf9f616fc2ed /Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
parent	2599babe3100517368de8f0c2346dd98428a17a4 (diff)