Add userId parameter to AuthorizeQuickConnect

author: Niels van Velzen <git@ndat.nl> 2022-11-12 10:19:52 +0100
committer: Niels van Velzen <git@ndat.nl> 2022-12-03 12:31:42 +0100
commit: fd73f346dc94a2b1a2c3421e9d83c0f6d9346d29 (patch)
tree: 74c0dca5e9a162c218924c5e5d2c1e96724f4913 /Jellyfin.Api/Controllers/QuickConnectController.cs
parent: db2c0d4c91a952407ab7709d9ff5c86017e5753e (diff)
1 files changed, 9 insertions, 5 deletions
diff --git a/Jellyfin.Api/Controllers/QuickConnectController.cs b/Jellyfin.Api/Controllers/QuickConnectController.cs
index 77d88475f..aed4d9341 100644
--- a/Jellyfin.Api/Controllers/QuickConnectController.cs
+++ b/Jellyfin.Api/Controllers/QuickConnectController.cs
@@ -1,3 +1,4 @@
+using System;
 using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
@@ -96,6 +97,7 @@ namespace Jellyfin.Api.Controllers
         /// Authorizes a pending quick connect request.
         /// </summary>
         /// <param name="code">Quick connect code to authorize.</param>
+        /// <param name="userId">The user the authorize. Access to the requested user is required.</param>
         /// <response code="200">Quick connect result authorized successfully.</response>
         /// <response code="403">Unknown user id.</response>
         /// <returns>Boolean indicating if the authorization was successful.</returns>
@@ -103,17 +105,19 @@ namespace Jellyfin.Api.Controllers
         [Authorize(Policy = Policies.DefaultAuthorization)]
         [ProducesResponseType(StatusCodes.Status200OK)]
         [ProducesResponseType(StatusCodes.Status403Forbidden)]
-        public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code)
+        public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code, [FromQuery] Guid? userId = null)
         {
-            var userId = User.GetUserId();
-            if (userId.Equals(default))
+            var currentUserId = User.GetUserId();
+            var actualUserId = userId ?? currentUserId;
+
+            if (actualUserId.Equals(default) || (!userId.Equals(currentUserId) && !User.IsInRole(UserRoles.Administrator)))
             {
-                return StatusCode(StatusCodes.Status403Forbidden, "Unknown user id");
+                return Forbid("Unknown user id");
             }
 
             try
             {
-                return await _quickConnect.AuthorizeRequest(userId, code).ConfigureAwait(false);
+                return await _quickConnect.AuthorizeRequest(actualUserId, code).ConfigureAwait(false);
             }
             catch (AuthenticationException)
             {
author	Niels van Velzen <git@ndat.nl>	2022-11-12 10:19:52 +0100
committer	Niels van Velzen <git@ndat.nl>	2022-12-03 12:31:42 +0100
commit	fd73f346dc94a2b1a2c3421e9d83c0f6d9346d29 (patch)
tree	74c0dca5e9a162c218924c5e5d2c1e96724f4913 /Jellyfin.Api/Controllers/QuickConnectController.cs
parent	db2c0d4c91a952407ab7709d9ff5c86017e5753e (diff)