From a527034ebe31e1aa43c5fd4adb98e8cff871988a Mon Sep 17 00:00:00 2001 From: Cody Robibero Date: Fri, 17 Feb 2023 15:16:08 -0700 Subject: Validate requested user id (#8812) --- Jellyfin.Api/Helpers/RequestHelpers.cs | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'Jellyfin.Api/Helpers/RequestHelpers.cs') diff --git a/Jellyfin.Api/Helpers/RequestHelpers.cs b/Jellyfin.Api/Helpers/RequestHelpers.cs index 0b7a4fa1ac..57098edbae 100644 --- a/Jellyfin.Api/Helpers/RequestHelpers.cs +++ b/Jellyfin.Api/Helpers/RequestHelpers.cs @@ -11,6 +11,7 @@ using MediaBrowser.Common.Extensions; using MediaBrowser.Controller.Dto; using MediaBrowser.Controller.Entities; using MediaBrowser.Controller.Library; +using MediaBrowser.Controller.Net; using MediaBrowser.Controller.Session; using MediaBrowser.Model.Dto; using MediaBrowser.Model.Querying; @@ -55,6 +56,32 @@ public static class RequestHelpers return result; } + /// + /// Checks if the user can access a user. + /// + /// The for the current request. + /// The user id. + /// A whether the user can access the user. + internal static Guid GetUserId(ClaimsPrincipal claimsPrincipal, Guid? userId) + { + var authenticatedUserId = claimsPrincipal.GetUserId(); + + // UserId not provided, fall back to authenticated user id. + if (userId is null || userId.Value.Equals(default)) + { + return authenticatedUserId; + } + + // User must be administrator to access another user. + var isAdministrator = claimsPrincipal.IsInRole(UserRoles.Administrator); + if (!userId.Value.Equals(authenticatedUserId) && !isAdministrator) + { + throw new SecurityException("Forbidden"); + } + + return userId.Value; + } + /// /// Checks if the user can update an entry. /// -- cgit v1.2.3