aboutsummaryrefslogtreecommitdiff
path: root/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs
diff options
context:
space:
mode:
Diffstat (limited to 'Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs')
-rw-r--r--Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs53
1 files changed, 48 insertions, 5 deletions
diff --git a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs
index be77b7a4e..b1d97e4a1 100644
--- a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs
+++ b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs
@@ -1,4 +1,8 @@
using System.Threading.Tasks;
+using Jellyfin.Api.Constants;
+using Jellyfin.Api.Extensions;
+using Jellyfin.Data.Enums;
+using MediaBrowser.Common.Extensions;
using MediaBrowser.Common.Net;
using MediaBrowser.Controller.Library;
using Microsoft.AspNetCore.Authorization;
@@ -9,8 +13,12 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy
/// <summary>
/// Default authorization handler.
/// </summary>
- public class DefaultAuthorizationHandler : BaseAuthorizationHandler<DefaultAuthorizationRequirement>
+ public class DefaultAuthorizationHandler : AuthorizationHandler<DefaultAuthorizationRequirement>
{
+ private readonly IUserManager _userManager;
+ private readonly INetworkManager _networkManager;
+ private readonly IHttpContextAccessor _httpContextAccessor;
+
/// <summary>
/// Initializes a new instance of the <see cref="DefaultAuthorizationHandler"/> class.
/// </summary>
@@ -21,21 +29,56 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy
IUserManager userManager,
INetworkManager networkManager,
IHttpContextAccessor httpContextAccessor)
- : base(userManager, networkManager, httpContextAccessor)
{
+ _userManager = userManager;
+ _networkManager = networkManager;
+ _httpContextAccessor = httpContextAccessor;
}
/// <inheritdoc />
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultAuthorizationRequirement requirement)
{
- var validated = ValidateClaims(context.User);
- if (validated)
+ var isApiKey = context.User.GetIsApiKey();
+ var userId = context.User.GetUserId();
+ // This likely only happens during the wizard, so skip the default checks and let any other handlers do it
+ if (!isApiKey && userId.Equals(default))
+ {
+ return Task.CompletedTask;
+ }
+
+ var isInLocalNetwork = _httpContextAccessor.HttpContext is not null
+ && _networkManager.IsInLocalNetwork(_httpContextAccessor.HttpContext.GetNormalizedRemoteIp());
+ var user = _userManager.GetUserById(userId);
+ if (user is null)
+ {
+ throw new ResourceNotFoundException();
+ }
+
+ // User cannot access remotely and user is remote
+ if (!isInLocalNetwork && !user.HasPermission(PermissionKind.EnableRemoteAccess))
+ {
+ context.Fail();
+ return Task.CompletedTask;
+ }
+
+ // Admins can do everything
+ if (isApiKey || context.User.IsInRole(UserRoles.Administrator))
{
context.Succeed(requirement);
+ return Task.CompletedTask;
}
- else
+
+ // It's not great to have this check, but parental schedule must usually be honored except in a few rare cases
+ if (requirement.ValidateParentalSchedule && !user.IsParentalScheduleAllowed())
{
context.Fail();
+ return Task.CompletedTask;
+ }
+
+ // Only succeed if the requirement isn't a subclass as any subclassed requirement will handle success in its own handler
+ if (requirement.GetType() == typeof(DefaultAuthorizationRequirement))
+ {
+ context.Succeed(requirement);
}
return Task.CompletedTask;
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-06 12:55:37 +0000