From 209edd38a4163a8cf4abd5e47bfe0ea1a100f351 Mon Sep 17 00:00:00 2001 From: cvium Date: Wed, 8 Feb 2023 23:55:26 +0100 Subject: refactor: simplify authz --- .../FirstTimeSetupPolicy/FirstTimeSetupHandler.cs | 61 ++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs (limited to 'Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs') diff --git a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs new file mode 100644 index 000000000..302e052a7 --- /dev/null +++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs @@ -0,0 +1,61 @@ +using System.Threading.Tasks; +using Jellyfin.Api.Constants; +using Jellyfin.Api.Extensions; +using MediaBrowser.Common.Configuration; +using MediaBrowser.Controller.Library; +using Microsoft.AspNetCore.Authorization; + +namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy +{ + /// + /// Authorization handler for requiring first time setup or default privileges. + /// + public class FirstTimeSetupHandler : AuthorizationHandler + { + private readonly IConfigurationManager _configurationManager; + private readonly IUserManager _userManager; + + /// + /// Initializes a new instance of the class. + /// + /// Instance of the interface. + /// Instance of the interface. + public FirstTimeSetupHandler( + IConfigurationManager configurationManager, + IUserManager userManager) + { + _configurationManager = configurationManager; + _userManager = userManager; + } + + /// + protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, FirstTimeSetupRequirement requirement) + { + if (!_configurationManager.CommonConfiguration.IsStartupWizardCompleted) + { + context.Succeed(requirement); + return Task.CompletedTask; + } + + if (requirement.RequireAdmin && !context.User.IsInRole(UserRoles.Administrator)) + { + context.Fail(); + return Task.CompletedTask; + } + + if (!requirement.ValidateParentalSchedule) + { + context.Succeed(requirement); + return Task.CompletedTask; + } + + var user = _userManager.GetUserById(context.User.GetUserId()); + if (user.IsParentalScheduleAllowed()) + { + context.Succeed(requirement); + } + + return Task.CompletedTask; + } + } +} -- cgit v1.2.3 From a5e2ae4979ece439ade037ba2c88a4003a7e8f68 Mon Sep 17 00:00:00 2001 From: cvium Date: Sun, 12 Feb 2023 23:01:30 +0100 Subject: fix merge conflict --- .../Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs | 5 +++++ Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs | 6 ++++++ Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs | 5 +++++ Jellyfin.Api/Auth/UserPermissionPolicy/UserPermissionHandler.cs | 6 ++++++ 4 files changed, 22 insertions(+) (limited to 'Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs') diff --git a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs index 2d9ce0631..b1d97e4a1 100644 --- a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs +++ b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs @@ -49,6 +49,11 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy var isInLocalNetwork = _httpContextAccessor.HttpContext is not null && _networkManager.IsInLocalNetwork(_httpContextAccessor.HttpContext.GetNormalizedRemoteIp()); var user = _userManager.GetUserById(userId); + if (user is null) + { + throw new ResourceNotFoundException(); + } + // User cannot access remotely and user is remote if (!isInLocalNetwork && !user.HasPermission(PermissionKind.EnableRemoteAccess)) { diff --git a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs index 302e052a7..28ba25850 100644 --- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs +++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs @@ -2,6 +2,7 @@ using System.Threading.Tasks; using Jellyfin.Api.Constants; using Jellyfin.Api.Extensions; using MediaBrowser.Common.Configuration; +using MediaBrowser.Common.Extensions; using MediaBrowser.Controller.Library; using Microsoft.AspNetCore.Authorization; @@ -50,6 +51,11 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy } var user = _userManager.GetUserById(context.User.GetUserId()); + if (user is null) + { + throw new ResourceNotFoundException(); + } + if (user.IsParentalScheduleAllowed()) { context.Succeed(requirement); diff --git a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs index 5c1029b38..75ec9fcec 100644 --- a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs +++ b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs @@ -1,6 +1,7 @@ using System.Threading.Tasks; using Jellyfin.Api.Extensions; using Jellyfin.Data.Enums; +using MediaBrowser.Common.Extensions; using MediaBrowser.Controller.Library; using MediaBrowser.Controller.SyncPlay; using Microsoft.AspNetCore.Authorization; @@ -33,6 +34,10 @@ namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy { var userId = context.User.GetUserId(); var user = _userManager.GetUserById(userId); + if (user is null) + { + throw new ResourceNotFoundException(); + } if (requirement.RequiredAccess == SyncPlayAccessRequirementType.HasAccess) { diff --git a/Jellyfin.Api/Auth/UserPermissionPolicy/UserPermissionHandler.cs b/Jellyfin.Api/Auth/UserPermissionPolicy/UserPermissionHandler.cs index c3de7be32..ba2b1b657 100644 --- a/Jellyfin.Api/Auth/UserPermissionPolicy/UserPermissionHandler.cs +++ b/Jellyfin.Api/Auth/UserPermissionPolicy/UserPermissionHandler.cs @@ -1,6 +1,7 @@ using System.Threading.Tasks; using Jellyfin.Api.Auth.DownloadPolicy; using Jellyfin.Api.Extensions; +using MediaBrowser.Common.Extensions; using MediaBrowser.Controller.Library; using Microsoft.AspNetCore.Authorization; @@ -26,6 +27,11 @@ namespace Jellyfin.Api.Auth.UserPermissionPolicy protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, UserPermissionRequirement requirement) { var user = _userManager.GetUserById(context.User.GetUserId()); + if (user is null) + { + throw new ResourceNotFoundException(); + } + if (user.HasPermission(requirement.RequiredPermission)) { context.Succeed(requirement); -- cgit v1.2.3