Enforce permissions on websocket connections

1 files changed, 13 insertions, 1 deletions

diff --git a/Jellyfin.Api/WebSocketListeners/ActivityLogWebSocketListener.cs b/Jellyfin.Api/WebSocketListeners/ActivityLogWebSocketListener.cs
index 4a5e0ecd4..33d391f29 100644
--- a/Jellyfin.Api/WebSocketListeners/ActivityLogWebSocketListener.cs
+++ b/Jellyfin.Api/WebSocketListeners/ActivityLogWebSocketListener.cs
@@ -1,6 +1,8 @@
 using System;
 using System.Threading.Tasks;
+using Jellyfin.Data.Enums;
 using Jellyfin.Data.Events;
+using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Controller.Net;
 using MediaBrowser.Model.Activity;
 using MediaBrowser.Model.Session;
@@ -9,7 +11,7 @@ using Microsoft.Extensions.Logging;
 namespace Jellyfin.Api.WebSocketListeners;
 
 /// <summary>
-/// Class SessionInfoWebSocketListener.
+/// Class ActivityLogWebSocketListener.
 /// </summary>
 public class ActivityLogWebSocketListener : BasePeriodicWebSocketListener<ActivityLogEntry[], WebSocketListenerState>
 {
@@ -56,6 +58,16 @@ public class ActivityLogWebSocketListener : BasePeriodicWebSocketListener<Activi
         base.Dispose(dispose);
     }
 
+    private new void Start(WebSocketMessageInfo message)
+    {
+        if (!message.Connection.AuthorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
+        {
+            throw new AuthenticationException("Only admin users can retrieve the activity log.");
+        }
+
+        base.Start(message);
+    }
+
     private async void OnEntryCreated(object? sender, GenericEventArgs<ActivityLogEntry> e)
     {
         await SendData(true).ConfigureAwait(false);