aboutsummaryrefslogtreecommitdiff
path: root/MediaBrowser.Controller
diff options
context:
space:
mode:
authorLuke Pulverenti <luke.pulverenti@gmail.com>2014-07-02 00:57:18 -0400
committerLuke Pulverenti <luke.pulverenti@gmail.com>2014-07-02 00:57:18 -0400
commit389390b82ecfbb48e0486f8f132046ddf8624e00 (patch)
treec03ffa22f3a2fe668bb9be7078ad83fea3177796 /MediaBrowser.Controller
parent3bef6ead9cec4c33d43b6348ae4fc33c9b70316a (diff)
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser
Diffstat (limited to 'MediaBrowser.Controller')
-rw-r--r--MediaBrowser.Controller/Entities/Folder.cs21
-rw-r--r--MediaBrowser.Controller/MediaBrowser.Controller.csproj8
-rw-r--r--MediaBrowser.Controller/Net/AuthenticatedAttribute.cs41
-rw-r--r--MediaBrowser.Controller/Net/AuthorizationInfo.cs32
-rw-r--r--MediaBrowser.Controller/Net/IAuthService.cs9
-rw-r--r--MediaBrowser.Controller/Net/IAuthorizationContext.cs14
-rw-r--r--MediaBrowser.Controller/Net/IHasAuthorization.cs12
-rw-r--r--MediaBrowser.Controller/Net/IHasResultFactory.cs3
-rw-r--r--MediaBrowser.Controller/Net/IHasSession.cs12
-rw-r--r--MediaBrowser.Controller/Net/IRestfulService.cs1
-rw-r--r--MediaBrowser.Controller/Net/ISessionContext.cs13
-rw-r--r--MediaBrowser.Controller/Net/LoggedAttribute.cs73
12 files changed, 222 insertions, 17 deletions
diff --git a/MediaBrowser.Controller/Entities/Folder.cs b/MediaBrowser.Controller/Entities/Folder.cs
index 52c414ae8..584091b13 100644
--- a/MediaBrowser.Controller/Entities/Folder.cs
+++ b/MediaBrowser.Controller/Entities/Folder.cs
@@ -780,7 +780,7 @@ namespace MediaBrowser.Controller.Entities
var list = new List<BaseItem>();
- var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, false, null);
+ var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, false);
return hasLinkedChildren ? list.DistinctBy(i => i.Id).ToList() : list;
}
@@ -797,9 +797,8 @@ namespace MediaBrowser.Controller.Entities
/// <param name="includeLinkedChildren">if set to <c>true</c> [include linked children].</param>
/// <param name="list">The list.</param>
/// <param name="recursive">if set to <c>true</c> [recursive].</param>
- /// <param name="filter">The filter.</param>
/// <returns><c>true</c> if XXXX, <c>false</c> otherwise</returns>
- private bool AddChildrenToList(User user, bool includeLinkedChildren, List<BaseItem> list, bool recursive, Func<BaseItem, bool> filter)
+ private bool AddChildrenToList(User user, bool includeLinkedChildren, List<BaseItem> list, bool recursive)
{
var hasLinkedChildren = false;
@@ -807,19 +806,16 @@ namespace MediaBrowser.Controller.Entities
{
if (child.IsVisible(user))
{
- if (filter == null || filter(child))
+ if (!child.IsHiddenFromUser(user))
{
- if (!child.IsHiddenFromUser(user))
- {
- list.Add(child);
- }
+ list.Add(child);
}
if (recursive && child.IsFolder)
{
var folder = (Folder)child;
- if (folder.AddChildrenToList(user, includeLinkedChildren, list, true, filter))
+ if (folder.AddChildrenToList(user, includeLinkedChildren, list, true))
{
hasLinkedChildren = true;
}
@@ -831,11 +827,6 @@ namespace MediaBrowser.Controller.Entities
{
foreach (var child in GetLinkedChildren())
{
- if (filter != null && !filter(child))
- {
- continue;
- }
-
if (child.IsVisible(user))
{
hasLinkedChildren = true;
@@ -864,7 +855,7 @@ namespace MediaBrowser.Controller.Entities
var list = new List<BaseItem>();
- var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, true, null);
+ var hasLinkedChildren = AddChildrenToList(user, includeLinkedChildren, list, true);
return hasLinkedChildren ? list.DistinctBy(i => i.Id).ToList() : list;
}
diff --git a/MediaBrowser.Controller/MediaBrowser.Controller.csproj b/MediaBrowser.Controller/MediaBrowser.Controller.csproj
index 1310e7797..ae7118be9 100644
--- a/MediaBrowser.Controller/MediaBrowser.Controller.csproj
+++ b/MediaBrowser.Controller/MediaBrowser.Controller.csproj
@@ -195,10 +195,18 @@
<Compile Include="MediaEncoding\ISubtitleEncoder.cs" />
<Compile Include="MediaEncoding\MediaStreamSelector.cs" />
<Compile Include="MediaEncoding\VideoEncodingOptions.cs" />
+ <Compile Include="Net\AuthenticatedAttribute.cs" />
+ <Compile Include="Net\AuthorizationInfo.cs" />
+ <Compile Include="Net\IAuthorizationContext.cs" />
+ <Compile Include="Net\IAuthService.cs" />
+ <Compile Include="Net\IHasAuthorization.cs" />
<Compile Include="Net\IHasResultFactory.cs" />
+ <Compile Include="Net\IHasSession.cs" />
<Compile Include="Net\IHttpResultFactory.cs" />
<Compile Include="Net\IHttpServer.cs" />
<Compile Include="Net\IRestfulService.cs" />
+ <Compile Include="Net\ISessionContext.cs" />
+ <Compile Include="Net\LoggedAttribute.cs" />
<Compile Include="News\INewsService.cs" />
<Compile Include="Notifications\INotificationManager.cs" />
<Compile Include="Notifications\INotificationService.cs" />
diff --git a/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs b/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs
new file mode 100644
index 000000000..567d20f39
--- /dev/null
+++ b/MediaBrowser.Controller/Net/AuthenticatedAttribute.cs
@@ -0,0 +1,41 @@
+using ServiceStack.Web;
+using System;
+
+namespace MediaBrowser.Controller.Net
+{
+ public class AuthenticatedAttribute : Attribute, IHasRequestFilter
+ {
+ public IAuthService AuthService { get; set; }
+
+ /// <summary>
+ /// The request filter is executed before the service.
+ /// </summary>
+ /// <param name="request">The http request wrapper</param>
+ /// <param name="response">The http response wrapper</param>
+ /// <param name="requestDto">The request DTO</param>
+ public void RequestFilter(IRequest request, IResponse response, object requestDto)
+ {
+ AuthService.Authenticate(request, response, requestDto);
+ }
+
+ /// <summary>
+ /// A new shallow copy of this filter is used on every request.
+ /// </summary>
+ /// <returns>IHasRequestFilter.</returns>
+ public IHasRequestFilter Copy()
+ {
+ return this;
+ }
+
+ /// <summary>
+ /// Order in which Request Filters are executed.
+ /// &lt;0 Executed before global request filters
+ /// &gt;0 Executed after global request filters
+ /// </summary>
+ /// <value>The priority.</value>
+ public int Priority
+ {
+ get { return 0; }
+ }
+ }
+}
diff --git a/MediaBrowser.Controller/Net/AuthorizationInfo.cs b/MediaBrowser.Controller/Net/AuthorizationInfo.cs
new file mode 100644
index 000000000..e609204d6
--- /dev/null
+++ b/MediaBrowser.Controller/Net/AuthorizationInfo.cs
@@ -0,0 +1,32 @@
+
+namespace MediaBrowser.Controller.Net
+{
+ public class AuthorizationInfo
+ {
+ /// <summary>
+ /// Gets or sets the user identifier.
+ /// </summary>
+ /// <value>The user identifier.</value>
+ public string UserId { get; set; }
+ /// <summary>
+ /// Gets or sets the device identifier.
+ /// </summary>
+ /// <value>The device identifier.</value>
+ public string DeviceId { get; set; }
+ /// <summary>
+ /// Gets or sets the device.
+ /// </summary>
+ /// <value>The device.</value>
+ public string Device { get; set; }
+ /// <summary>
+ /// Gets or sets the client.
+ /// </summary>
+ /// <value>The client.</value>
+ public string Client { get; set; }
+ /// <summary>
+ /// Gets or sets the version.
+ /// </summary>
+ /// <value>The version.</value>
+ public string Version { get; set; }
+ }
+}
diff --git a/MediaBrowser.Controller/Net/IAuthService.cs b/MediaBrowser.Controller/Net/IAuthService.cs
new file mode 100644
index 000000000..41859395b
--- /dev/null
+++ b/MediaBrowser.Controller/Net/IAuthService.cs
@@ -0,0 +1,9 @@
+using ServiceStack.Web;
+
+namespace MediaBrowser.Controller.Net
+{
+ public interface IAuthService
+ {
+ void Authenticate(IRequest request, IResponse response, object requestDto);
+ }
+}
diff --git a/MediaBrowser.Controller/Net/IAuthorizationContext.cs b/MediaBrowser.Controller/Net/IAuthorizationContext.cs
new file mode 100644
index 000000000..9cf562370
--- /dev/null
+++ b/MediaBrowser.Controller/Net/IAuthorizationContext.cs
@@ -0,0 +1,14 @@
+using ServiceStack.Web;
+
+namespace MediaBrowser.Controller.Net
+{
+ public interface IAuthorizationContext
+ {
+ /// <summary>
+ /// Gets the authorization information.
+ /// </summary>
+ /// <param name="requestContext">The request context.</param>
+ /// <returns>AuthorizationInfo.</returns>
+ AuthorizationInfo GetAuthorizationInfo(IRequest requestContext);
+ }
+}
diff --git a/MediaBrowser.Controller/Net/IHasAuthorization.cs b/MediaBrowser.Controller/Net/IHasAuthorization.cs
new file mode 100644
index 000000000..6fc70159d
--- /dev/null
+++ b/MediaBrowser.Controller/Net/IHasAuthorization.cs
@@ -0,0 +1,12 @@
+
+namespace MediaBrowser.Controller.Net
+{
+ public interface IHasAuthorization
+ {
+ /// <summary>
+ /// Gets or sets the authorization context.
+ /// </summary>
+ /// <value>The authorization context.</value>
+ IAuthorizationContext AuthorizationContext { get; set; }
+ }
+}
diff --git a/MediaBrowser.Controller/Net/IHasResultFactory.cs b/MediaBrowser.Controller/Net/IHasResultFactory.cs
index a87113d1f..3988b8d61 100644
--- a/MediaBrowser.Controller/Net/IHasResultFactory.cs
+++ b/MediaBrowser.Controller/Net/IHasResultFactory.cs
@@ -1,5 +1,4 @@
-using MediaBrowser.Common.Net;
-using ServiceStack.Web;
+using ServiceStack.Web;
namespace MediaBrowser.Controller.Net
{
diff --git a/MediaBrowser.Controller/Net/IHasSession.cs b/MediaBrowser.Controller/Net/IHasSession.cs
new file mode 100644
index 000000000..e762c1e84
--- /dev/null
+++ b/MediaBrowser.Controller/Net/IHasSession.cs
@@ -0,0 +1,12 @@
+
+namespace MediaBrowser.Controller.Net
+{
+ public interface IHasSession
+ {
+ /// <summary>
+ /// Gets or sets the session context.
+ /// </summary>
+ /// <value>The session context.</value>
+ ISessionContext SessionContext { get; set; }
+ }
+}
diff --git a/MediaBrowser.Controller/Net/IRestfulService.cs b/MediaBrowser.Controller/Net/IRestfulService.cs
index f55012b73..7d07bb094 100644
--- a/MediaBrowser.Controller/Net/IRestfulService.cs
+++ b/MediaBrowser.Controller/Net/IRestfulService.cs
@@ -5,6 +5,7 @@ namespace MediaBrowser.Controller.Net
/// <summary>
/// Interface IRestfulService
/// </summary>
+ [Logged]
public interface IRestfulService : IService
{
}
diff --git a/MediaBrowser.Controller/Net/ISessionContext.cs b/MediaBrowser.Controller/Net/ISessionContext.cs
new file mode 100644
index 000000000..31ccd5373
--- /dev/null
+++ b/MediaBrowser.Controller/Net/ISessionContext.cs
@@ -0,0 +1,13 @@
+using MediaBrowser.Controller.Entities;
+using MediaBrowser.Controller.Session;
+using ServiceStack.Web;
+
+namespace MediaBrowser.Controller.Net
+{
+ public interface ISessionContext
+ {
+ SessionInfo GetSession(IRequest requestContext);
+
+ User GetUser(IRequest requestContext);
+ }
+}
diff --git a/MediaBrowser.Controller/Net/LoggedAttribute.cs b/MediaBrowser.Controller/Net/LoggedAttribute.cs
new file mode 100644
index 000000000..6df72f7a7
--- /dev/null
+++ b/MediaBrowser.Controller/Net/LoggedAttribute.cs
@@ -0,0 +1,73 @@
+using MediaBrowser.Controller.Entities;
+using MediaBrowser.Controller.Library;
+using MediaBrowser.Controller.Session;
+using MediaBrowser.Model.Logging;
+using ServiceStack.Web;
+using System;
+
+namespace MediaBrowser.Controller.Net
+{
+ public class LoggedAttribute : Attribute, IHasRequestFilter
+ {
+ public ILogger Logger { get; set; }
+ public IUserManager UserManager { get; set; }
+ public ISessionManager SessionManager { get; set; }
+ public IAuthorizationContext AuthorizationContext { get; set; }
+
+ /// <summary>
+ /// The request filter is executed before the service.
+ /// </summary>
+ /// <param name="request">The http request wrapper</param>
+ /// <param name="response">The http response wrapper</param>
+ /// <param name="requestDto">The request DTO</param>
+ public void RequestFilter(IRequest request, IResponse response, object requestDto)
+ {
+ //This code is executed before the service
+ var auth = AuthorizationContext.GetAuthorizationInfo(request);
+
+ if (auth != null)
+ {
+ User user = null;
+
+ if (!string.IsNullOrWhiteSpace(auth.UserId))
+ {
+ var userId = auth.UserId;
+
+ user = UserManager.GetUserById(new Guid(userId));
+ }
+
+ string deviceId = auth.DeviceId;
+ string device = auth.Device;
+ string client = auth.Client;
+ string version = auth.Version;
+
+ if (!string.IsNullOrEmpty(client) && !string.IsNullOrEmpty(deviceId) && !string.IsNullOrEmpty(device) && !string.IsNullOrEmpty(version))
+ {
+ var remoteEndPoint = request.RemoteIp;
+
+ SessionManager.LogSessionActivity(client, version, deviceId, device, remoteEndPoint, user);
+ }
+ }
+ }
+
+ /// <summary>
+ /// A new shallow copy of this filter is used on every request.
+ /// </summary>
+ /// <returns>IHasRequestFilter.</returns>
+ public IHasRequestFilter Copy()
+ {
+ return this;
+ }
+
+ /// <summary>
+ /// Order in which Request Filters are executed.
+ /// &lt;0 Executed before global request filters
+ /// &gt;0 Executed after global request filters
+ /// </summary>
+ /// <value>The priority.</value>
+ public int Priority
+ {
+ get { return 0; }
+ }
+ }
+}
generated by cgit v1.2.3 (git 2.46.0) at 2026-01-06 14:21:14 +0000