Enforce permissions on websocket connections

author: Shadowghost <Ghost_of_Stone@web.de> 2023-06-09 17:11:22 +0200
committer: Shadowghost <Ghost_of_Stone@web.de> 2023-07-07 08:50:37 +0200
commit: 05d98fe24c594ae43de4cd9f54139f8b04324119 (patch)
tree: cbea66216a973c6e9aafe2e6f661c1de4b58fe9a /Jellyfin.Api/WebSocketListeners/SessionInfoWebSocketListener.cs
parent: 46a6755e65c9587fd1ae33ee4ffdb3cd406fd72b (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/Jellyfin.Api/WebSocketListeners/SessionInfoWebSocketListener.cs b/Jellyfin.Api/WebSocketListeners/SessionInfoWebSocketListener.cs
index 0d8bf205c..0d614ba4f 100644
--- a/Jellyfin.Api/WebSocketListeners/SessionInfoWebSocketListener.cs
+++ b/Jellyfin.Api/WebSocketListeners/SessionInfoWebSocketListener.cs
@@ -1,5 +1,7 @@
 using System.Collections.Generic;
 using System.Threading.Tasks;
+using Jellyfin.Data.Enums;
+using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Controller.Library;
 using MediaBrowser.Controller.Net;
 using MediaBrowser.Controller.Session;
@@ -66,6 +68,16 @@ public class SessionInfoWebSocketListener : BasePeriodicWebSocketListener<IEnume
         base.Dispose(dispose);
     }
 
+    private new void Start(WebSocketMessageInfo message)
+    {
+        if (!message.Connection.AuthorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
+        {
+            throw new AuthenticationException("Only admin users can subscribe to session information.");
+        }
+
+        base.Start(message);
+    }
+
     private async void OnSessionManagerSessionActivity(object? sender, SessionEventArgs e)
     {
         await SendData(false).ConfigureAwait(false);
author	Shadowghost <Ghost_of_Stone@web.de>	2023-06-09 17:11:22 +0200
committer	Shadowghost <Ghost_of_Stone@web.de>	2023-07-07 08:50:37 +0200
commit	05d98fe24c594ae43de4cd9f54139f8b04324119 (patch)
tree	cbea66216a973c6e9aafe2e6f661c1de4b58fe9a /Jellyfin.Api/WebSocketListeners/SessionInfoWebSocketListener.cs
parent	46a6755e65c9587fd1ae33ee4ffdb3cd406fd72b (diff)