Merge pull request #1005 from MediaBrowser/dev

3.0.5518.0
author: Luke <luke.pulverenti@gmail.com> 2015-02-09 16:58:30 -0500
committer: Luke <luke.pulverenti@gmail.com> 2015-02-09 16:58:30 -0500
commit: 4cc3b2f0ccd7c092a4acf72db4903415e175037a (patch)
tree: f9f90f8665b726253b8b357674f2f141aa43abc9 /MediaBrowser.Server.Implementations/HttpServer/Security/AuthService.cs
parent: e7037a9b80843c127712f11430239f8fa3cb4aed (diff)
parent: 3d7089a7dbabb652730c892206ca050f52f832b1 (diff)
1 files changed, 32 insertions, 3 deletions
diff --git a/MediaBrowser.Server.Implementations/HttpServer/Security/AuthService.cs b/MediaBrowser.Server.Implementations/HttpServer/Security/AuthService.cs
index c374a31b3..3903c62b1 100644
--- a/MediaBrowser.Server.Implementations/HttpServer/Security/AuthService.cs
+++ b/MediaBrowser.Server.Implementations/HttpServer/Security/AuthService.cs
@@ -74,7 +74,9 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
                 ValidateUserAccess(user, request, authAttribtues, auth);
             }
 
-            if (!IsExemptFromRoles(auth, authAttribtues))
+            var info = GetTokenInfo(request);
+
+            if (!IsExemptFromRoles(auth, authAttribtues, info))
             {
                 var roles = authAttribtues.GetRoles().ToList();
 
@@ -142,7 +144,7 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
                 StringComparer.OrdinalIgnoreCase);
         }
 
-        private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues)
+        private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, AuthenticationInfo tokenInfo)
         {
             if (!_config.Configuration.IsStartupWizardCompleted &&
                 authAttribtues.AllowBeforeStartupWizard)
@@ -150,6 +152,16 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
                 return true;
             }
 
+            if (string.IsNullOrWhiteSpace(auth.Token))
+            {
+                return true;
+            }
+
+            if (tokenInfo != null && string.IsNullOrWhiteSpace(tokenInfo.UserId))
+            {
+                return true;
+            }
+
             return false;
         }
 
@@ -175,6 +187,23 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
                     };
                 }
             }
+            if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))
+            {
+                if (user == null || !user.Policy.EnableContentDownloading)
+                {
+                    throw new SecurityException("User does not have download access.")
+                    {
+                        SecurityExceptionType = SecurityExceptionType.Unauthenticated
+                    };
+                }
+            }
+        }
+
+        private AuthenticationInfo GetTokenInfo(IServiceRequest request)
+        {
+            object info;
+            request.Items.TryGetValue("OriginalAuthenticationInfo", out info);
+            return info as AuthenticationInfo;
         }
 
         private bool IsValidConnectKey(string token)
@@ -194,7 +223,7 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
                 throw new SecurityException("Access token is invalid or expired.");
             }
 
-            var info = (AuthenticationInfo)request.Items["OriginalAuthenticationInfo"];
+            var info = GetTokenInfo(request);
 
             if (info == null)
             {
author	Luke <luke.pulverenti@gmail.com>	2015-02-09 16:58:30 -0500
committer	Luke <luke.pulverenti@gmail.com>	2015-02-09 16:58:30 -0500
commit	4cc3b2f0ccd7c092a4acf72db4903415e175037a (patch)
tree	f9f90f8665b726253b8b357674f2f141aa43abc9 /MediaBrowser.Server.Implementations/HttpServer/Security/AuthService.cs
parent	e7037a9b80843c127712f11430239f8fa3cb4aed (diff)
parent	3d7089a7dbabb652730c892206ca050f52f832b1 (diff)