From 5d760b7ee806d3fb00ac5aa7d0981362526f1d11 Mon Sep 17 00:00:00 2001
From: Davide Polonio <poloniodavide@gmail.com>
Date: Sun, 1 Mar 2020 21:38:34 +0100
Subject: Fix emby/user/public API leaking private data

This commit fixes the emby/user/public API that was returning more data
than necessary. Now only the following information are returned:
- the account name
- the primary image tag
- the field hasPassword
- the field hasConfiguredPassword, useful for the first wizard only
(see
https://github.com/jellyfin/jellyfin/issues/880#issuecomment-465370051)
- the primary image aspect ratio

A new DTO class, PrivateUserDTO has been created, and the route has been
modified in order to return that data object.
---
 MediaBrowser.Api/UserService.cs | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

(limited to 'MediaBrowser.Api/UserService.cs')

diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index 401514349..b4ab8c974 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -35,7 +35,7 @@ namespace MediaBrowser.Api
     }
 
     [Route("/Users/Public", "GET", Summary = "Gets a list of publicly visible users for display on a login screen.")]
-    public class GetPublicUsers : IReturn<UserDto[]>
+    public class GetPublicUsers : IReturn<PublicUserDto[]>
     {
     }
 
@@ -266,22 +266,36 @@ namespace MediaBrowser.Api
             _authContext = authContext;
         }
 
+        /// <summary>
+        /// Gets the public available Users information
+        /// </summary>
+        /// <param name="request">The request.</param>
+        /// <returns>System.Object.</returns>
         public object Get(GetPublicUsers request)
         {
-            // If the startup wizard hasn't been completed then just return all users
-            if (!ServerConfigurationManager.Configuration.IsStartupWizardCompleted)
+            var users = _userManager
+                .Users
+                .Where(item => item.Policy.IsDisabled == false)
+                .Where(item => item.Policy.IsHidden == false);
+
+            var deviceId = _authContext.GetAuthorizationInfo(Request).DeviceId;
+
+            if (!string.IsNullOrWhiteSpace(deviceId))
             {
-                return Get(new GetUsers
-                {
-                    IsDisabled = false
-                });
+                users = users.Where(i => _deviceManager.CanAccessDevice(i, deviceId));
             }
 
-            return Get(new GetUsers
+            if (!_networkManager.IsInLocalNetwork(Request.RemoteIp))
             {
-                IsHidden = false,
-                IsDisabled = false
-            }, true, true);
+                users = users.Where(i => i.Policy.EnableRemoteAccess);
+            }
+
+            var result = users
+                .OrderBy(u => u.Name)
+                .Select(i => _userManager.GetPublicUserDto(i, Request.RemoteIp))
+                .ToArray();
+
+            return ToOptimizedResult(result);
         }
 
         /// <summary>
-- 
cgit v1.2.3