Update authorization policies for SyncPlay

2 files changed, 53 insertions, 14 deletions

diff --git a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs
index b5932ea6b..fd8286b1d 100644
--- a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs
+++ b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs
@@ -3,6 +3,7 @@ using Jellyfin.Api.Helpers;
 using Jellyfin.Data.Enums;
 using MediaBrowser.Common.Net;
 using MediaBrowser.Controller.Library;
+using MediaBrowser.Controller.SyncPlay;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 
@@ -13,20 +14,24 @@ namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy
     /// </summary>
     public class SyncPlayAccessHandler : BaseAuthorizationHandler<SyncPlayAccessRequirement>
     {
+        private readonly ISyncPlayManager _syncPlayManager;
         private readonly IUserManager _userManager;
 
         /// <summary>
         /// Initializes a new instance of the <see cref="SyncPlayAccessHandler"/> class.
         /// </summary>
+        /// <param name="syncPlayManager">Instance of the <see cref="ISyncPlayManager"/> interface.</param>
         /// <param name="userManager">Instance of the <see cref="IUserManager"/> interface.</param>
         /// <param name="networkManager">Instance of the <see cref="INetworkManager"/> interface.</param>
         /// <param name="httpContextAccessor">Instance of the <see cref="IHttpContextAccessor"/> interface.</param>
         public SyncPlayAccessHandler(
+            ISyncPlayManager syncPlayManager,
             IUserManager userManager,
             INetworkManager networkManager,
             IHttpContextAccessor httpContextAccessor)
             : base(userManager, networkManager, httpContextAccessor)
         {
+            _syncPlayManager = syncPlayManager;
             _userManager = userManager;
         }
 
@@ -42,10 +47,52 @@ namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy
             var userId = ClaimHelpers.GetUserId(context.User);
             var user = _userManager.GetUserById(userId!.Value);
 
-            if ((requirement.RequiredAccess.HasValue && user.SyncPlayAccess == requirement.RequiredAccess)
-                || user.SyncPlayAccess == SyncPlayAccess.CreateAndJoinGroups)
+            if (requirement.RequiredAccess == SyncPlayAccessRequirementType.HasAccess)
             {
-                context.Succeed(requirement);
+                if (user.SyncPlayAccess == SyncPlayUserAccessType.CreateAndJoinGroups ||
+                    user.SyncPlayAccess == SyncPlayUserAccessType.JoinGroups ||
+                    _syncPlayManager.IsUserActive(userId!.Value))
+                {
+                    context.Succeed(requirement);
+                }
+                else
+                {
+                    context.Fail();
+                }
+            }
+            else if (requirement.RequiredAccess == SyncPlayAccessRequirementType.CreateGroup)
+            {
+                if (user.SyncPlayAccess == SyncPlayUserAccessType.CreateAndJoinGroups)
+                {
+                    context.Succeed(requirement);
+                }
+                else
+                {
+                    context.Fail();
+                }
+            }
+            else if (requirement.RequiredAccess == SyncPlayAccessRequirementType.JoinGroup)
+            {
+                if (user.SyncPlayAccess == SyncPlayUserAccessType.CreateAndJoinGroups ||
+                    user.SyncPlayAccess == SyncPlayUserAccessType.JoinGroups)
+                {
+                    context.Succeed(requirement);
+                }
+                else
+                {
+                    context.Fail();
+                }
+            }
+            else if (requirement.RequiredAccess == SyncPlayAccessRequirementType.IsInGroup)
+            {
+                if (_syncPlayManager.IsUserActive(userId!.Value))
+                {
+                    context.Succeed(requirement);
+                }
+                else
+                {
+                    context.Fail();
+                }
             }
             else
             {
diff --git a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs
index 7fcaf69f6..6fab4c0ad 100644
--- a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs
+++ b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs
@@ -11,23 +11,15 @@ namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy
         /// <summary>
         /// Initializes a new instance of the <see cref="SyncPlayAccessRequirement"/> class.
         /// </summary>
-        /// <param name="requiredAccess">A value of <see cref="SyncPlayAccess"/>.</param>
-        public SyncPlayAccessRequirement(SyncPlayAccess requiredAccess)
+        /// <param name="requiredAccess">A value of <see cref="SyncPlayAccessRequirementType"/>.</param>
+        public SyncPlayAccessRequirement(SyncPlayAccessRequirementType requiredAccess)
         {
             RequiredAccess = requiredAccess;
         }
 
         /// <summary>
-        /// Initializes a new instance of the <see cref="SyncPlayAccessRequirement"/> class.
-        /// </summary>
-        public SyncPlayAccessRequirement()
-        {
-            RequiredAccess = null;
-        }
-
-        /// <summary>
         /// Gets the required SyncPlay access.
         /// </summary>
-        public SyncPlayAccess? RequiredAccess { get; }
+        public SyncPlayAccessRequirementType RequiredAccess { get; }
     }
 }