admins shouldn't be able to circumvent remote access policies

This commit is contained in:
cvium 2023-02-09 08:53:59 +01:00
parent a4c3011ee8
commit f984f31896

View File

@ -38,13 +38,6 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy
/// <inheritdoc /> /// <inheritdoc />
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultAuthorizationRequirement requirement) protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultAuthorizationRequirement requirement)
{ {
// Admins can do everything
if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator))
{
context.Succeed(requirement);
return Task.CompletedTask;
}
var userId = context.User.GetUserId(); var userId = context.User.GetUserId();
// This likely only happens during the wizard, so skip the default checks and let any other handlers do it // This likely only happens during the wizard, so skip the default checks and let any other handlers do it
if (userId.Equals(default)) if (userId.Equals(default))
@ -62,6 +55,13 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy
return Task.CompletedTask; return Task.CompletedTask;
} }
// Admins can do everything
if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator))
{
context.Succeed(requirement);
return Task.CompletedTask;
}
// It's not great to have this check, but parental schedule must usually be honored except in a few rare cases // It's not great to have this check, but parental schedule must usually be honored except in a few rare cases
if (requirement.ValidateParentalSchedule && !user.IsParentalScheduleAllowed()) if (requirement.ValidateParentalSchedule && !user.IsParentalScheduleAllowed())
{ {