Backport pull request #11651 from jellyfin/release-10.9.z

Fix FirstTimeSetupPolicy allowing guest access Original-merge: 2cb052a119a43edbdeaba33f77d929a5ee4b405c Merged-by: crobibero <cody@robibe.ro> Backported-by: Joshua M. Boniface <joshua@boniface.me>
author: thornbill <thornbill@users.noreply.github.com> 2024-05-17 13:51:44 -0400
committer: Joshua M. Boniface <joshua@boniface.me> 2024-05-17 13:51:44 -0400
commit: 9a1a58885749a7c4f0354b0f848791e492482ccb (patch)
tree: a81fc23cccf1c97c70cce8f07fa0362513489ade /Jellyfin.Api/Auth
parent: b063dfd2e3925b85bbc9461c272a10d7c8931767 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
index 2b6b2a82c..9b4e2182c 100644
--- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
+++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
@@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
             {
                 context.Fail();
             }
+            else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
+            {
+                context.Fail();
+            }
             else
             {
                 // Any user-specific checks are handled in the DefaultAuthorizationHandler.
author	thornbill <thornbill@users.noreply.github.com>	2024-05-17 13:51:44 -0400
committer	Joshua M. Boniface <joshua@boniface.me>	2024-05-17 13:51:44 -0400
commit	9a1a58885749a7c4f0354b0f848791e492482ccb (patch)
tree	a81fc23cccf1c97c70cce8f07fa0362513489ade /Jellyfin.Api/Auth
parent	b063dfd2e3925b85bbc9461c272a10d7c8931767 (diff)