Merge pull request #2492 from Polpetta/fix-api-private-data-leak

Fix emby/user/public API leaking sensitive data
author: Bond-009 <bond.009@outlook.com> 2020-05-07 14:52:10 +0200
committer: GitHub <noreply@github.com> 2020-05-07 14:52:10 +0200
commit: 62da4d0e5c05ae12c57bcbbacd73e792c70ae9ae (patch)
tree: f48de8012d3bc1c36378f57f649679932db4fdd0 /MediaBrowser.Api/UserService.cs
parent: 41b667c1374794421a1f9d324ef5156609de8464 (diff)
parent: 5c6339d8fd4b12237c6cb8eb9d115d59c9c27ddf (diff)
1 files changed, 27 insertions, 11 deletions
diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index 78fc6c694..7d4d5fcf9 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -35,7 +35,7 @@ namespace MediaBrowser.Api
     }
 
     [Route("/Users/Public", "GET", Summary = "Gets a list of publicly visible users for display on a login screen.")]
-    public class GetPublicUsers : IReturn<UserDto[]>
+    public class GetPublicUsers : IReturn<PublicUserDto[]>
     {
     }
 
@@ -266,22 +266,38 @@ namespace MediaBrowser.Api
             _authContext = authContext;
         }
 
+        /// <summary>
+        /// Gets the public available Users information
+        /// </summary>
+        /// <param name="request">The request.</param>
+        /// <returns>System.Object.</returns>
         public object Get(GetPublicUsers request)
         {
-            // If the startup wizard hasn't been completed then just return all users
-            if (!ServerConfigurationManager.Configuration.IsStartupWizardCompleted)
+            var result = _userManager
+                .Users
+                .Where(item => !item.Policy.IsDisabled);
+
+            if (ServerConfigurationManager.Configuration.IsStartupWizardCompleted)
             {
-                return Get(new GetUsers
+                var deviceId = _authContext.GetAuthorizationInfo(Request).DeviceId;
+                result = result.Where(item => !item.Policy.IsHidden);
+
+                if (!string.IsNullOrWhiteSpace(deviceId))
                 {
-                    IsDisabled = false
-                });
+                    result = result.Where(i => _deviceManager.CanAccessDevice(i, deviceId));
+                }
+
+                if (!_networkManager.IsInLocalNetwork(Request.RemoteIp))
+                {
+                    result = result.Where(i => i.Policy.EnableRemoteAccess);
+                }
             }
 
-            return Get(new GetUsers
-            {
-                IsHidden = false,
-                IsDisabled = false
-            }, true, true);
+            return ToOptimizedResult(result
+                    .OrderBy(u => u.Name)
+                    .Select(i => _userManager.GetPublicUserDto(i, Request.RemoteIp))
+                    .ToArray()
+                );
         }
 
         /// <summary>
author	Bond-009 <bond.009@outlook.com>	2020-05-07 14:52:10 +0200
committer	GitHub <noreply@github.com>	2020-05-07 14:52:10 +0200
commit	62da4d0e5c05ae12c57bcbbacd73e792c70ae9ae (patch)
tree	f48de8012d3bc1c36378f57f649679932db4fdd0 /MediaBrowser.Api/UserService.cs
parent	41b667c1374794421a1f9d324ef5156609de8464 (diff)
parent	5c6339d8fd4b12237c6cb8eb9d115d59c9c27ddf (diff)