fix: use HttpContext and ClaimsPrincipal instead of IAuthorizationContext

1 files changed, 28 insertions, 20 deletions

diff --git a/Jellyfin.Api/Helpers/RequestHelpers.cs b/Jellyfin.Api/Helpers/RequestHelpers.cs
index 20427d7fa..8c5af013a 100644
--- a/Jellyfin.Api/Helpers/RequestHelpers.cs
+++ b/Jellyfin.Api/Helpers/RequestHelpers.cs
@@ -1,13 +1,16 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
+using Jellyfin.Api.Constants;
+using Jellyfin.Api.Extensions;
 using Jellyfin.Data.Entities;
 using Jellyfin.Data.Enums;
 using MediaBrowser.Common.Extensions;
 using MediaBrowser.Controller.Dto;
 using MediaBrowser.Controller.Entities;
-using MediaBrowser.Controller.Net;
+using MediaBrowser.Controller.Library;
 using MediaBrowser.Controller.Session;
 using MediaBrowser.Model.Dto;
 using MediaBrowser.Model.Querying;
@@ -55,37 +58,42 @@ namespace Jellyfin.Api.Helpers
         /// <summary>
         /// Checks if the user can update an entry.
         /// </summary>
-        /// <param name="authContext">Instance of the <see cref="IAuthorizationContext"/> interface.</param>
-        /// <param name="requestContext">The <see cref="HttpRequest"/>.</param>
+        /// <param name="userManager">An instance of the <see cref="IUserManager"/> interface.</param>
+        /// <param name="claimsPrincipal">The <see cref="ClaimsPrincipal"/> for the current request.</param>
         /// <param name="userId">The user id.</param>
         /// <param name="restrictUserPreferences">Whether to restrict the user preferences.</param>
         /// <returns>A <see cref="bool"/> whether the user can update the entry.</returns>
-        internal static async Task<bool> AssertCanUpdateUser(IAuthorizationContext authContext, HttpRequest requestContext, Guid userId, bool restrictUserPreferences)
+        internal static bool AssertCanUpdateUser(IUserManager userManager, ClaimsPrincipal claimsPrincipal, Guid userId, bool restrictUserPreferences)
         {
-            var auth = await authContext.GetAuthorizationInfo(requestContext).ConfigureAwait(false);
-
-            var authenticatedUser = auth.User;
+            var authenticatedUserId = claimsPrincipal.GetUserId();
+            var isAdministrator = claimsPrincipal.IsInRole(UserRoles.Administrator);
 
             // If they're going to update the record of another user, they must be an administrator
-            if ((!userId.Equals(auth.UserId) && !authenticatedUser.HasPermission(PermissionKind.IsAdministrator))
-                || (restrictUserPreferences && !authenticatedUser.EnableUserPreferenceAccess))
+            if (!userId.Equals(authenticatedUserId) && !isAdministrator)
             {
                 return false;
             }
 
-            return true;
+            // TODO the EnableUserPreferenceAccess policy does not seem to be used elsewhere
+            if (!restrictUserPreferences || isAdministrator)
+            {
+                return true;
+            }
+
+            var user = userManager.GetUserById(userId);
+            return user.EnableUserPreferenceAccess;
         }
 
-        internal static async Task<SessionInfo> GetSession(ISessionManager sessionManager, IAuthorizationContext authContext, HttpRequest request)
+        internal static async Task<SessionInfo> GetSession(ISessionManager sessionManager, IUserManager userManager, HttpContext httpContext)
         {
-            var authorization = await authContext.GetAuthorizationInfo(request).ConfigureAwait(false);
-            var user = authorization.User;
+            var userId = httpContext.User.GetUserId();
+            var user = userManager.GetUserById(userId);
             var session = await sessionManager.LogSessionActivity(
-                authorization.Client,
-                authorization.Version,
-                authorization.DeviceId,
-                authorization.Device,
-                request.HttpContext.GetNormalizedRemoteIp().ToString(),
+                httpContext.User.GetClient(),
+                httpContext.User.GetVersion(),
+                httpContext.User.GetDeviceId(),
+                httpContext.User.GetDevice(),
+                httpContext.GetNormalizedRemoteIp().ToString(),
                 user).ConfigureAwait(false);
 
             if (session == null)
@@ -96,9 +104,9 @@ namespace Jellyfin.Api.Helpers
             return session;
         }
 
-        internal static async Task<string> GetSessionId(ISessionManager sessionManager, IAuthorizationContext authContext, HttpRequest request)
+        internal static async Task<string> GetSessionId(ISessionManager sessionManager, IUserManager userManager, HttpContext httpContext)
         {
-            var session = await GetSession(sessionManager, authContext, request).ConfigureAwait(false);
+            var session = await GetSession(sessionManager, userManager, httpContext).ConfigureAwait(false);
 
             return session.Id;
         }