From 5dc30c6a6d8af9a758fd730c9da69c13847c21c3 Mon Sep 17 00:00:00 2001
From: cvium <clausvium@gmail.com>
Date: Thu, 6 Oct 2022 13:57:47 +0200
Subject: fix: use HttpContext and ClaimsPrincipal instead of
 IAuthorizationContext

---
 Jellyfin.Api/Controllers/ItemsController.cs | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

(limited to 'Jellyfin.Api/Controllers/ItemsController.cs')

diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 4d09070db..3c7c375d4 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -10,7 +10,6 @@ using Jellyfin.Data.Enums;
 using MediaBrowser.Controller.Dto;
 using MediaBrowser.Controller.Entities;
 using MediaBrowser.Controller.Library;
-using MediaBrowser.Controller.Net;
 using MediaBrowser.Controller.Session;
 using MediaBrowser.Model.Dto;
 using MediaBrowser.Model.Entities;
@@ -34,7 +33,6 @@ namespace Jellyfin.Api.Controllers
         private readonly ILibraryManager _libraryManager;
         private readonly ILocalizationManager _localization;
         private readonly IDtoService _dtoService;
-        private readonly IAuthorizationContext _authContext;
         private readonly ILogger<ItemsController> _logger;
         private readonly ISessionManager _sessionManager;
 
@@ -45,7 +43,6 @@ namespace Jellyfin.Api.Controllers
         /// <param name="libraryManager">Instance of the <see cref="ILibraryManager"/> interface.</param>
         /// <param name="localization">Instance of the <see cref="ILocalizationManager"/> interface.</param>
         /// <param name="dtoService">Instance of the <see cref="IDtoService"/> interface.</param>
-        /// <param name="authContext">Instance of the <see cref="IAuthorizationContext"/> interface.</param>
         /// <param name="logger">Instance of the <see cref="ILogger"/> interface.</param>
         /// <param name="sessionManager">Instance of the <see cref="ISessionManager"/> interface.</param>
         public ItemsController(
@@ -53,7 +50,6 @@ namespace Jellyfin.Api.Controllers
             ILibraryManager libraryManager,
             ILocalizationManager localization,
             IDtoService dtoService,
-            IAuthorizationContext authContext,
             ILogger<ItemsController> logger,
             ISessionManager sessionManager)
         {
@@ -61,7 +57,6 @@ namespace Jellyfin.Api.Controllers
             _libraryManager = libraryManager;
             _localization = localization;
             _dtoService = dtoService;
-            _authContext = authContext;
             _logger = logger;
             _sessionManager = sessionManager;
         }
@@ -244,21 +239,20 @@ namespace Jellyfin.Api.Controllers
             [FromQuery] bool enableTotalRecordCount = true,
             [FromQuery] bool? enableImages = true)
         {
-            var auth = await _authContext.GetAuthorizationInfo(Request).ConfigureAwait(false);
-
+            var isApiKey = User.GetIsApiKey();
             // if api key is used (auth.IsApiKey == true), then `user` will be null throughout this method
-            var user = !auth.IsApiKey && userId.HasValue && !userId.Value.Equals(default)
+            var user = !isApiKey && userId.HasValue && !userId.Value.Equals(default)
                 ? _userManager.GetUserById(userId.Value)
                 : null;
 
             // beyond this point, we're either using an api key or we have a valid user
-            if (!auth.IsApiKey && user is null)
+            if (!isApiKey && user is null)
             {
                 return BadRequest("userId is required");
             }
 
             var dtoOptions = new DtoOptions { Fields = fields }
-                .AddClientFields(Request)
+                .AddClientFields(User)
                 .AddAdditionalDtoOptions(enableImages, enableUserData, imageTypeLimit, enableImageTypes);
 
             if (includeItemTypes.Length == 1
@@ -288,12 +282,12 @@ namespace Jellyfin.Api.Controllers
                 includeItemTypes = new[] { BaseItemKind.Playlist };
             }
 
-            var enabledChannels = auth.IsApiKey
+            var enabledChannels = isApiKey
                 ? Array.Empty<Guid>()
                 : user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
 
             // api keys are always enabled for all folders
-            bool isInEnabledFolder = auth.IsApiKey
+            bool isInEnabledFolder = isApiKey
                                      || Array.IndexOf(user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
                                      // Assume all folders inside an EnabledChannel are enabled
                                      || Array.IndexOf(enabledChannels, item.Id) != -1
@@ -850,7 +844,7 @@ namespace Jellyfin.Api.Controllers
             var user = _userManager.GetUserById(userId);
             var parentIdGuid = parentId ?? Guid.Empty;
             var dtoOptions = new DtoOptions { Fields = fields }
-                .AddClientFields(Request)
+                .AddClientFields(User)
                 .AddAdditionalDtoOptions(enableImages, enableUserData, imageTypeLimit, enableImageTypes);
 
             var ancestorIds = Array.Empty<Guid>();
-- 
cgit v1.2.3


From 6afc9110439c3c5345beb9a6bac1968ee4dedce8 Mon Sep 17 00:00:00 2001
From: cvium <clausvium@gmail.com>
Date: Thu, 6 Oct 2022 14:15:40 +0200
Subject: fix Release build

---
 Jellyfin.Api/Controllers/ItemsController.cs    |  4 ++--
 Jellyfin.Api/Controllers/TrailersController.cs |  2 +-
 Jellyfin.Api/Controllers/UserController.cs     | 12 ++++++------
 Jellyfin.Api/Helpers/MediaInfoHelper.cs        |  3 ++-
 4 files changed, 11 insertions(+), 10 deletions(-)

(limited to 'Jellyfin.Api/Controllers/ItemsController.cs')

diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 3c7c375d4..80ae5abcb 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -152,7 +152,7 @@ namespace Jellyfin.Api.Controllers
         /// <returns>A <see cref="QueryResult{BaseItemDto}"/> with the items.</returns>
         [HttpGet("Items")]
         [ProducesResponseType(StatusCodes.Status200OK)]
-        public async Task<ActionResult<QueryResult<BaseItemDto>>> GetItems(
+        public ActionResult<QueryResult<BaseItemDto>> GetItems(
             [FromQuery] Guid? userId,
             [FromQuery] string? maxOfficialRating,
             [FromQuery] bool? hasThemeSong,
@@ -627,7 +627,7 @@ namespace Jellyfin.Api.Controllers
         /// <returns>A <see cref="QueryResult{BaseItemDto}"/> with the items.</returns>
         [HttpGet("Users/{userId}/Items")]
         [ProducesResponseType(StatusCodes.Status200OK)]
-        public Task<ActionResult<QueryResult<BaseItemDto>>> GetItemsByUserId(
+        public ActionResult<QueryResult<BaseItemDto>> GetItemsByUserId(
             [FromRoute] Guid userId,
             [FromQuery] string? maxOfficialRating,
             [FromQuery] bool? hasThemeSong,
diff --git a/Jellyfin.Api/Controllers/TrailersController.cs b/Jellyfin.Api/Controllers/TrailersController.cs
index cf812fa23..b296d1c96 100644
--- a/Jellyfin.Api/Controllers/TrailersController.cs
+++ b/Jellyfin.Api/Controllers/TrailersController.cs
@@ -119,7 +119,7 @@ namespace Jellyfin.Api.Controllers
         /// <returns>A <see cref="QueryResult{BaseItemDto}"/> with the trailers.</returns>
         [HttpGet]
         [ProducesResponseType(StatusCodes.Status200OK)]
-        public Task<ActionResult<QueryResult<BaseItemDto>>> GetTrailers(
+        public ActionResult<QueryResult<BaseItemDto>> GetTrailers(
             [FromQuery] Guid? userId,
             [FromQuery] string? maxOfficialRating,
             [FromQuery] bool? hasThemeSong,
diff --git a/Jellyfin.Api/Controllers/UserController.cs b/Jellyfin.Api/Controllers/UserController.cs
index 004690541..ff653fe6b 100644
--- a/Jellyfin.Api/Controllers/UserController.cs
+++ b/Jellyfin.Api/Controllers/UserController.cs
@@ -83,11 +83,11 @@ namespace Jellyfin.Api.Controllers
         [HttpGet]
         [Authorize(Policy = Policies.DefaultAuthorization)]
         [ProducesResponseType(StatusCodes.Status200OK)]
-        public async Task<ActionResult<IEnumerable<UserDto>>> GetUsers(
+        public ActionResult<IEnumerable<UserDto>> GetUsers(
             [FromQuery] bool? isHidden,
             [FromQuery] bool? isDisabled)
         {
-            var users = await Get(isHidden, isDisabled, false, false).ConfigureAwait(false);
+            var users = Get(isHidden, isDisabled, false, false);
             return Ok(users);
         }
 
@@ -98,15 +98,15 @@ namespace Jellyfin.Api.Controllers
         /// <returns>An <see cref="IEnumerable{UserDto}"/> containing the public users.</returns>
         [HttpGet("Public")]
         [ProducesResponseType(StatusCodes.Status200OK)]
-        public async Task<ActionResult<IEnumerable<UserDto>>> GetPublicUsers()
+        public ActionResult<IEnumerable<UserDto>> GetPublicUsers()
         {
             // If the startup wizard hasn't been completed then just return all users
             if (!_config.Configuration.IsStartupWizardCompleted)
             {
-                return Ok(await Get(false, false, false, false).ConfigureAwait(false));
+                return Ok(Get(false, false, false, false));
             }
 
-            return Ok(await Get(false, false, true, true).ConfigureAwait(false));
+            return Ok(Get(false, false, true, true));
         }
 
         /// <summary>
@@ -552,7 +552,7 @@ namespace Jellyfin.Api.Controllers
             return _userManager.GetUserDto(user);
         }
 
-        private async Task<IEnumerable<UserDto>> Get(bool? isHidden, bool? isDisabled, bool filterByDevice, bool filterByNetwork)
+        private IEnumerable<UserDto> Get(bool? isHidden, bool? isDisabled, bool filterByDevice, bool filterByNetwork)
         {
             var users = _userManager.Users;
 
diff --git a/Jellyfin.Api/Helpers/MediaInfoHelper.cs b/Jellyfin.Api/Helpers/MediaInfoHelper.cs
index 11f490bb4..4441ae023 100644
--- a/Jellyfin.Api/Helpers/MediaInfoHelper.cs
+++ b/Jellyfin.Api/Helpers/MediaInfoHelper.cs
@@ -313,7 +313,8 @@ namespace Jellyfin.Api.Helpers
                 }
 
                 // Do this after the above so that StartPositionTicks is set
-                SetDeviceSpecificSubtitleInfo(streamInfo, mediaSource, claimsPrincipal.GetToken());
+                // The token must not be null
+                SetDeviceSpecificSubtitleInfo(streamInfo, mediaSource, claimsPrincipal.GetToken()!);
                 mediaSource.DefaultAudioStreamIndex = streamInfo.AudioStreamIndex;
             }
 
-- 
cgit v1.2.3


From fb9023f2d83c9e0947c63d4a0c27b35d6c711d9c Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Wed, 9 Nov 2022 18:02:49 -0500
Subject: Fix items endpoint not honoring library access control

---
 Jellyfin.Api/Controllers/ItemsController.cs | 36 ++++-------------------------
 1 file changed, 5 insertions(+), 31 deletions(-)

(limited to 'Jellyfin.Api/Controllers/ItemsController.cs')

diff --git a/Jellyfin.Api/Controllers/ItemsController.cs b/Jellyfin.Api/Controllers/ItemsController.cs
index 80ae5abcb..33b67b389 100644
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@@ -282,39 +282,13 @@ namespace Jellyfin.Api.Controllers
                 includeItemTypes = new[] { BaseItemKind.Playlist };
             }
 
-            var enabledChannels = isApiKey
-                ? Array.Empty<Guid>()
-                : user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledChannels);
-
-            // api keys are always enabled for all folders
-            bool isInEnabledFolder = isApiKey
-                                     || Array.IndexOf(user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders), item.Id) != -1
-                                     // Assume all folders inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.Id) != -1
-                                     // Assume all items inside an EnabledChannel are enabled
-                                     || Array.IndexOf(enabledChannels, item.ChannelId) != -1;
-
-            if (!isInEnabledFolder)
-            {
-                var collectionFolders = _libraryManager.GetCollectionFolders(item);
-                foreach (var collectionFolder in collectionFolders)
-                {
-                    // api keys never enter this block, so user is never null
-                    if (user!.GetPreferenceValues<Guid>(PreferenceKind.EnabledFolders).Contains(collectionFolder.Id))
-                    {
-                        isInEnabledFolder = true;
-                    }
-                }
-            }
-
-            // api keys are always enabled for all folders, so user is never null
             if (item is not UserRootFolder
-                && !isInEnabledFolder
-                && !user!.HasPermission(PermissionKind.EnableAllFolders)
-                && !user.HasPermission(PermissionKind.EnableAllChannels)
-                && !string.Equals(collectionType, CollectionType.Folders, StringComparison.OrdinalIgnoreCase))
+                // api keys can always access all folders
+                && !isApiKey
+                // check the item is visible for the user
+                && !item.IsVisible(user))
             {
-                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user.Username, item.Name);
+                _logger.LogWarning("{UserName} is not permitted to access Library {ItemName}", user!.Username, item.Name);
                 return Unauthorized($"{user.Username} is not permitted to access Library {item.Name}.");
             }
 
-- 
cgit v1.2.3