From 389390b82ecfbb48e0486f8f132046ddf8624e00 Mon Sep 17 00:00:00 2001 From: Luke Pulverenti Date: Wed, 2 Jul 2014 00:57:18 -0400 Subject: fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser --- MediaBrowser.Api/BaseApiService.cs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'MediaBrowser.Api/BaseApiService.cs') diff --git a/MediaBrowser.Api/BaseApiService.cs b/MediaBrowser.Api/BaseApiService.cs index f1d596213..09eb1ea41 100644 --- a/MediaBrowser.Api/BaseApiService.cs +++ b/MediaBrowser.Api/BaseApiService.cs @@ -14,8 +14,7 @@ namespace MediaBrowser.Api /// /// Class BaseApiService /// - [AuthorizationRequestFilter] - public class BaseApiService : IHasResultFactory, IRestfulService + public class BaseApiService : IHasResultFactory, IRestfulService, IHasSession { /// /// Gets or sets the logger. @@ -35,6 +34,8 @@ namespace MediaBrowser.Api /// The request context. public IRequest Request { get; set; } + public ISessionContext SessionContext { get; set; } + public string GetHeader(string name) { return Request.Headers[name]; @@ -82,13 +83,11 @@ namespace MediaBrowser.Api /// /// Gets the session. /// - /// The session manager. /// SessionInfo. - protected SessionInfo GetSession(ISessionManager sessionManager) + /// Session not found. + protected SessionInfo GetSession() { - var auth = AuthorizationRequestFilterAttribute.GetAuthorization(Request); - - var session = sessionManager.GetSession(auth.DeviceId, auth.Client, auth.Version); + var session = SessionContext.GetSession(Request); if (session == null) { -- cgit v1.2.3