Move request validation to auth policies

2 files changed, 91 insertions, 0 deletions

diff --git a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs
new file mode 100644
index 000000000..2c3294523
--- /dev/null
+++ b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs
@@ -0,0 +1,58 @@
+using System.Threading.Tasks;
+using Jellyfin.Api.Helpers;
+using Jellyfin.Data.Enums;
+using MediaBrowser.Common.Net;
+using MediaBrowser.Controller.Library;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+
+namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy
+{
+    /// <summary>
+    /// Default authorization handler.
+    /// </summary>
+    public class SyncPlayAccessHandler : BaseAuthorizationHandler<SyncPlayAccessRequirement>
+    {
+        private readonly IUserManager _userManager;
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SyncPlayAccessHandler"/> class.
+        /// </summary>
+        /// <param name="userManager">Instance of the <see cref="IUserManager"/> interface.</param>
+        /// <param name="networkManager">Instance of the <see cref="INetworkManager"/> interface.</param>
+        /// <param name="httpContextAccessor">Instance of the <see cref="IHttpContextAccessor"/> interface.</param>
+        public SyncPlayAccessHandler(
+            IUserManager userManager,
+            INetworkManager networkManager,
+            IHttpContextAccessor httpContextAccessor)
+            : base(userManager, networkManager, httpContextAccessor)
+        {
+            _userManager = userManager;
+        }
+
+        /// <inheritdoc />
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, SyncPlayAccessRequirement requirement)
+        {
+            if (!ValidateClaims(context.User))
+            {
+                context.Fail();
+                return Task.CompletedTask;
+            }
+
+            var userId = ClaimHelpers.GetUserId(context.User);
+            var user = _userManager.GetUserById(userId!.Value);
+
+            if ((requirement.RequiredAccess.HasValue && user.SyncPlayAccess == requirement.RequiredAccess)
+                || (user.SyncPlayAccess == SyncPlayAccess.JoinGroups || user.SyncPlayAccess == SyncPlayAccess.CreateAndJoinGroups))
+            {
+                context.Succeed(requirement);
+            }
+            else
+            {
+                context.Fail();
+            }
+
+            return Task.CompletedTask;
+        }
+    }
+}
diff --git a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs
new file mode 100644
index 000000000..7fcaf69f6
--- /dev/null
+++ b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs
@@ -0,0 +1,33 @@
+using Jellyfin.Data.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy
+{
+    /// <summary>
+    /// The default authorization requirement.
+    /// </summary>
+    public class SyncPlayAccessRequirement : IAuthorizationRequirement
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SyncPlayAccessRequirement"/> class.
+        /// </summary>
+        /// <param name="requiredAccess">A value of <see cref="SyncPlayAccess"/>.</param>
+        public SyncPlayAccessRequirement(SyncPlayAccess requiredAccess)
+        {
+            RequiredAccess = requiredAccess;
+        }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SyncPlayAccessRequirement"/> class.
+        /// </summary>
+        public SyncPlayAccessRequirement()
+        {
+            RequiredAccess = null;
+        }
+
+        /// <summary>
+        /// Gets the required SyncPlay access.
+        /// </summary>
+        public SyncPlayAccess? RequiredAccess { get; }
+    }
+}