admins shouldn't be able to circumvent remote access policies

1 files changed, 7 insertions, 7 deletions

diff --git a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs
index 7489e2a35..0f3c69abc 100644
--- a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs
+++ b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs
@@ -38,13 +38,6 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy
         /// <inheritdoc />
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultAuthorizationRequirement requirement)
         {
-            // Admins can do everything
-            if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator))
-            {
-                context.Succeed(requirement);
-                return Task.CompletedTask;
-            }
-
             var userId = context.User.GetUserId();
             // This likely only happens during the wizard, so skip the default checks and let any other handlers do it
             if (userId.Equals(default))
@@ -62,6 +55,13 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy
                 return Task.CompletedTask;
             }
 
+            // Admins can do everything
+            if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator))
+            {
+                context.Succeed(requirement);
+                return Task.CompletedTask;
+            }
+
             // It's not great to have this check, but parental schedule must usually be honored except in a few rare cases
             if (requirement.ValidateParentalSchedule && !user.IsParentalScheduleAllowed())
             {