1 files changed, 5 insertions, 25 deletions

diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index c17f33348..3996a0311 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -253,18 +253,14 @@ namespace MediaBrowser.Api
         /// The _user manager
         /// </summary>
         private readonly IUserManager _userManager;
-        private readonly IDtoService _dtoService;
         private readonly ISessionManager _sessionMananger;
         private readonly IServerConfigurationManager _config;
         private readonly INetworkManager _networkManager;
         private readonly IDeviceManager _deviceManager;
 
-        public IAuthorizationContext AuthorizationContext { get; set; }
-
-        public UserService(IUserManager userManager, IDtoService dtoService, ISessionManager sessionMananger, IServerConfigurationManager config, INetworkManager networkManager, IDeviceManager deviceManager)
+        public UserService(IUserManager userManager, ISessionManager sessionMananger, IServerConfigurationManager config, INetworkManager networkManager, IDeviceManager deviceManager)
         {
             _userManager = userManager;
-            _dtoService = dtoService;
             _sessionMananger = sessionMananger;
             _config = config;
             _networkManager = networkManager;
@@ -464,7 +460,7 @@ namespace MediaBrowser.Api
 
         public async Task PostAsync(UpdateUserPassword request)
         {
-            AssertCanUpdateUser(request.Id);
+            AssertCanUpdateUser(_userManager, request.Id);
 
             var user = _userManager.GetUserById(request.Id);
 
@@ -498,7 +494,7 @@ namespace MediaBrowser.Api
         
         public async Task PostAsync(UpdateUserEasyPassword request)
         {
-            AssertCanUpdateUser(request.Id);
+            AssertCanUpdateUser(_userManager, request.Id);
             
             var user = _userManager.GetUserById(request.Id);
 
@@ -534,7 +530,7 @@ namespace MediaBrowser.Api
             // https://code.google.com/p/servicestack/source/browse/trunk/Common/ServiceStack.Text/ServiceStack.Text/Controller/PathInfo.cs
             var id = GetPathValue(1);
 
-            AssertCanUpdateUser(id);
+            AssertCanUpdateUser(_userManager, id);
 
             var dtoUser = request;
 
@@ -584,29 +580,13 @@ namespace MediaBrowser.Api
 
         public void Post(UpdateUserConfiguration request)
         {
-            AssertCanUpdateUser(request.Id);
+            AssertCanUpdateUser(_userManager, request.Id);
 
             var task = _userManager.UpdateConfiguration(request.Id, request);
 
             Task.WaitAll(task);
         }
 
-        private void AssertCanUpdateUser(string userId)
-        {
-            var auth = AuthorizationContext.GetAuthorizationInfo(Request);
-
-            // If they're going to update the record of another user, they must be an administrator
-            if (!string.Equals(userId, auth.UserId, StringComparison.OrdinalIgnoreCase))
-            {
-                var authenticatedUser = _userManager.GetUserById(auth.UserId);
-
-                if (!authenticatedUser.Policy.IsAdministrator)
-                {
-                    throw new SecurityException("Unauthorized access.");
-                }
-            }
-        }
-
         public void Post(UpdateUserPolicy request)
         {
             var task = UpdateUserPolicy(request);