diff options
| author | Cody Robibero <cody@robibe.ro> | 2023-02-17 15:16:08 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-17 23:16:08 +0100 |
| commit | a527034ebe31e1aa43c5fd4adb98e8cff871988a (patch) | |
| tree | 9e790c1f87c2d3fbdb784bdc9cce1535fc4e561b /Jellyfin.Api/Controllers/QuickConnectController.cs | |
| parent | 9979b346ea0392f02922b7cce271f31ccb051987 (diff) | |
Validate requested user id (#8812)
Diffstat (limited to 'Jellyfin.Api/Controllers/QuickConnectController.cs')
| -rw-r--r-- | Jellyfin.Api/Controllers/QuickConnectController.cs | 11 |
1 files changed, 3 insertions, 8 deletions
diff --git a/Jellyfin.Api/Controllers/QuickConnectController.cs b/Jellyfin.Api/Controllers/QuickConnectController.cs index 503b9d372..d7e54b5b6 100644 --- a/Jellyfin.Api/Controllers/QuickConnectController.cs +++ b/Jellyfin.Api/Controllers/QuickConnectController.cs @@ -3,6 +3,7 @@ using System.ComponentModel.DataAnnotations; using System.Threading.Tasks; using Jellyfin.Api.Constants; using Jellyfin.Api.Extensions; +using Jellyfin.Api.Helpers; using MediaBrowser.Common.Extensions; using MediaBrowser.Controller.Authentication; using MediaBrowser.Controller.Net; @@ -116,17 +117,11 @@ public class QuickConnectController : BaseJellyfinApiController [ProducesResponseType(StatusCodes.Status403Forbidden)] public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code, [FromQuery] Guid? userId = null) { - var currentUserId = User.GetUserId(); - var actualUserId = userId ?? currentUserId; - - if (actualUserId.Equals(default) || (!userId.Equals(currentUserId) && !User.IsInRole(UserRoles.Administrator))) - { - return Forbid("Unknown user id"); - } + userId = RequestHelpers.GetUserId(User, userId); try { - return await _quickConnect.AuthorizeRequest(actualUserId, code).ConfigureAwait(false); + return await _quickConnect.AuthorizeRequest(userId.Value, code).ConfigureAwait(false); } catch (AuthenticationException) { |