fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

author: Luke Pulverenti <luke.pulverenti@gmail.com> 2014-07-02 00:57:18 -0400
committer: Luke Pulverenti <luke.pulverenti@gmail.com> 2014-07-02 00:57:18 -0400
commit: 389390b82ecfbb48e0486f8f132046ddf8624e00 (patch)
tree: c03ffa22f3a2fe668bb9be7078ad83fea3177796 /MediaBrowser.Api/BaseApiService.cs
parent: 3bef6ead9cec4c33d43b6348ae4fc33c9b70316a (diff)
1 files changed, 6 insertions, 7 deletions
diff --git a/MediaBrowser.Api/BaseApiService.cs b/MediaBrowser.Api/BaseApiService.cs
index f1d596213..09eb1ea41 100644
--- a/MediaBrowser.Api/BaseApiService.cs
+++ b/MediaBrowser.Api/BaseApiService.cs
@@ -14,8 +14,7 @@ namespace MediaBrowser.Api
     /// <summary>
     /// Class BaseApiService
     /// </summary>
-    [AuthorizationRequestFilter]
-    public class BaseApiService : IHasResultFactory, IRestfulService
+    public class BaseApiService : IHasResultFactory, IRestfulService, IHasSession
     {
         /// <summary>
         /// Gets or sets the logger.
@@ -35,6 +34,8 @@ namespace MediaBrowser.Api
         /// <value>The request context.</value>
         public IRequest Request { get; set; }
 
+        public ISessionContext SessionContext { get; set; }
+
         public string GetHeader(string name)
         {
             return Request.Headers[name];
@@ -82,13 +83,11 @@ namespace MediaBrowser.Api
         /// <summary>
         /// Gets the session.
         /// </summary>
-        /// <param name="sessionManager">The session manager.</param>
         /// <returns>SessionInfo.</returns>
-        protected SessionInfo GetSession(ISessionManager sessionManager)
+        /// <exception cref="System.ArgumentException">Session not found.</exception>
+        protected SessionInfo GetSession()
         {
-            var auth = AuthorizationRequestFilterAttribute.GetAuthorization(Request);
-
-            var session = sessionManager.GetSession(auth.DeviceId, auth.Client, auth.Version);
+            var session = SessionContext.GetSession(Request);
 
             if (session == null)
             {
author	Luke Pulverenti <luke.pulverenti@gmail.com>	2014-07-02 00:57:18 -0400
committer	Luke Pulverenti <luke.pulverenti@gmail.com>	2014-07-02 00:57:18 -0400
commit	389390b82ecfbb48e0486f8f132046ddf8624e00 (patch)
tree	c03ffa22f3a2fe668bb9be7078ad83fea3177796 /MediaBrowser.Api/BaseApiService.cs
parent	3bef6ead9cec4c33d43b6348ae4fc33c9b70316a (diff)