From 7e0ea296c383b9b9cd778bb12834c2a73df3d1ea Mon Sep 17 00:00:00 2001 From: cvium Date: Thu, 3 Dec 2020 10:43:44 +0100 Subject: Move request validation to auth policies --- .../SyncPlayAccessPolicy/SyncPlayAccessHandler.cs | 58 ++++++++++++++++++++++ .../SyncPlayAccessRequirement.cs | 33 ++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs create mode 100644 Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs (limited to 'Jellyfin.Api/Auth') diff --git a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs new file mode 100644 index 000000000..2c3294523 --- /dev/null +++ b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessHandler.cs @@ -0,0 +1,58 @@ +using System.Threading.Tasks; +using Jellyfin.Api.Helpers; +using Jellyfin.Data.Enums; +using MediaBrowser.Common.Net; +using MediaBrowser.Controller.Library; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Http; + +namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy +{ + /// + /// Default authorization handler. + /// + public class SyncPlayAccessHandler : BaseAuthorizationHandler + { + private readonly IUserManager _userManager; + + /// + /// Initializes a new instance of the class. + /// + /// Instance of the interface. + /// Instance of the interface. + /// Instance of the interface. + public SyncPlayAccessHandler( + IUserManager userManager, + INetworkManager networkManager, + IHttpContextAccessor httpContextAccessor) + : base(userManager, networkManager, httpContextAccessor) + { + _userManager = userManager; + } + + /// + protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, SyncPlayAccessRequirement requirement) + { + if (!ValidateClaims(context.User)) + { + context.Fail(); + return Task.CompletedTask; + } + + var userId = ClaimHelpers.GetUserId(context.User); + var user = _userManager.GetUserById(userId!.Value); + + if ((requirement.RequiredAccess.HasValue && user.SyncPlayAccess == requirement.RequiredAccess) + || (user.SyncPlayAccess == SyncPlayAccess.JoinGroups || user.SyncPlayAccess == SyncPlayAccess.CreateAndJoinGroups)) + { + context.Succeed(requirement); + } + else + { + context.Fail(); + } + + return Task.CompletedTask; + } + } +} diff --git a/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs new file mode 100644 index 000000000..7fcaf69f6 --- /dev/null +++ b/Jellyfin.Api/Auth/SyncPlayAccessPolicy/SyncPlayAccessRequirement.cs @@ -0,0 +1,33 @@ +using Jellyfin.Data.Enums; +using Microsoft.AspNetCore.Authorization; + +namespace Jellyfin.Api.Auth.SyncPlayAccessPolicy +{ + /// + /// The default authorization requirement. + /// + public class SyncPlayAccessRequirement : IAuthorizationRequirement + { + /// + /// Initializes a new instance of the class. + /// + /// A value of . + public SyncPlayAccessRequirement(SyncPlayAccess requiredAccess) + { + RequiredAccess = requiredAccess; + } + + /// + /// Initializes a new instance of the class. + /// + public SyncPlayAccessRequirement() + { + RequiredAccess = null; + } + + /// + /// Gets the required SyncPlay access. + /// + public SyncPlayAccess? RequiredAccess { get; } + } +} -- cgit v1.2.3