fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

1 files changed, 5 insertions, 2 deletions

diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index 1932c8f93..764a28102 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -1,6 +1,7 @@
 using MediaBrowser.Common.Extensions;
 using MediaBrowser.Controller.Dto;
 using MediaBrowser.Controller.Library;
+using MediaBrowser.Controller.Net;
 using MediaBrowser.Controller.Session;
 using MediaBrowser.Model.Dto;
 using MediaBrowser.Model.Serialization;
@@ -152,7 +153,7 @@ namespace MediaBrowser.Api
     /// <summary>
     /// Class UsersService
     /// </summary>
-    public class UserService : BaseApiService
+    public class UserService : BaseApiService, IHasAuthorization
     {
         /// <summary>
         /// The _XML serializer
@@ -166,6 +167,8 @@ namespace MediaBrowser.Api
         private readonly IDtoService _dtoService;
         private readonly ISessionManager _sessionMananger;
 
+        public IAuthorizationContext AuthorizationContext { get; set; }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="UserService" /> class.
         /// </summary>
@@ -295,7 +298,7 @@ namespace MediaBrowser.Api
                 throw new ResourceNotFoundException("User not found");
             }
 
-            var auth = AuthorizationRequestFilterAttribute.GetAuthorization(Request);
+            var auth = AuthorizationContext.GetAuthorizationInfo(Request);
 
             // Login in the old way if the header is missing
             if (string.IsNullOrEmpty(auth.Client) ||