1 files changed, 23 insertions, 13 deletions

diff --git a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
index 4d00c9b19..fadab4482 100644
--- a/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthService.cs
@@ -7,8 +7,8 @@ using MediaBrowser.Controller.Net;
 using MediaBrowser.Controller.Security;
 using MediaBrowser.Controller.Session;
 using System;
-using System.Collections.Generic;
 using System.Linq;
+using MediaBrowser.Model.Services;
 
 namespace Emby.Server.Implementations.HttpServer.Security
 {
@@ -38,19 +38,19 @@ namespace Emby.Server.Implementations.HttpServer.Security
         /// </summary>
         public string HtmlRedirect { get; set; }
 
-        public void Authenticate(IServiceRequest request,
+        public void Authenticate(IRequest request,
             IAuthenticationAttributes authAttribtues)
         {
             ValidateUser(request, authAttribtues);
         }
 
-        private void ValidateUser(IServiceRequest request,
+        private void ValidateUser(IRequest request,
             IAuthenticationAttributes authAttribtues)
         {
             // This code is executed before the service
             var auth = AuthorizationContext.GetAuthorizationInfo(request);
 
-            if (!IsExemptFromAuthenticationToken(auth, authAttribtues))
+            if (!IsExemptFromAuthenticationToken(auth, authAttribtues, request))
             {
                 var valid = IsValidConnectKey(auth.Token);
 
@@ -76,9 +76,9 @@ namespace Emby.Server.Implementations.HttpServer.Security
 
             var info = GetTokenInfo(request);
 
-            if (!IsExemptFromRoles(auth, authAttribtues, info))
+            if (!IsExemptFromRoles(auth, authAttribtues, request, info))
             {
-                var roles = authAttribtues.GetRoles().ToList();
+                var roles = authAttribtues.GetRoles();
 
                 ValidateRoles(roles, user);
             }
@@ -96,7 +96,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             }
         }
 
-        private void ValidateUserAccess(User user, IServiceRequest request,
+        private void ValidateUserAccess(User user, IRequest request,
             IAuthenticationAttributes authAttribtues,
             AuthorizationInfo auth)
         {
@@ -112,7 +112,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
                 !authAttribtues.EscapeParentalControl &&
                 !user.IsParentalScheduleAllowed())
             {
-                request.AddResponseHeader("X-Application-Error-Code", "ParentalControl");
+                request.Response.AddHeader("X-Application-Error-Code", "ParentalControl");
 
                 throw new SecurityException("This user account is not allowed access at this time.")
                 {
@@ -132,23 +132,33 @@ namespace Emby.Server.Implementations.HttpServer.Security
             }
         }
 
-        private bool IsExemptFromAuthenticationToken(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues)
+        private bool IsExemptFromAuthenticationToken(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request)
         {
             if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
             {
                 return true;
             }
 
+            if (authAttribtues.AllowLocal && request.IsLocal)
+            {
+                return true;
+            }
+
             return false;
         }
 
-        private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, AuthenticationInfo tokenInfo)
+        private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)
         {
             if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
             {
                 return true;
             }
 
+            if (authAttribtues.AllowLocal && request.IsLocal)
+            {
+                return true;
+            }
+
             if (string.IsNullOrWhiteSpace(auth.Token))
             {
                 return true;
@@ -162,7 +172,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             return false;
         }
 
-        private void ValidateRoles(List<string> roles, User user)
+        private void ValidateRoles(string[] roles, User user)
         {
             if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
             {
@@ -196,7 +206,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             }
         }
 
-        private AuthenticationInfo GetTokenInfo(IServiceRequest request)
+        private AuthenticationInfo GetTokenInfo(IRequest request)
         {
             object info;
             request.Items.TryGetValue("OriginalAuthenticationInfo", out info);
@@ -213,7 +223,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
             return ConnectManager.IsAuthorizationTokenValid(token);
         }
 
-        private void ValidateSecurityToken(IServiceRequest request, string token)
+        private void ValidateSecurityToken(IRequest request, string token)
         {
             if (string.IsNullOrWhiteSpace(token))
             {