jellyfin/Emby.Server.Implementations/HttpServer/Security/AuthService.cs

using MediaBrowser.Controller.Configuration;
using MediaBrowser.Controller.Connect;
using MediaBrowser.Controller.Devices;
using MediaBrowser.Controller.Entities;
using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Security;
using MediaBrowser.Controller.Session;
using System;
using System.Linq;
using MediaBrowser.Model.Services;
using MediaBrowser.Common.Net;

namespace Emby.Server.Implementations.HttpServer.Security
{
    public class AuthService : IAuthService
    {
        private readonly IServerConfigurationManager _config;

        public AuthService(IUserManager userManager, IAuthorizationContext authorizationContext, IServerConfigurationManager config, ISessionManager sessionManager, INetworkManager networkManager)
        {
            AuthorizationContext = authorizationContext;
            _config = config;
            SessionManager = sessionManager;
            UserManager = userManager;
            NetworkManager = networkManager;
        }

        public IUserManager UserManager { get; private set; }
        public IAuthorizationContext AuthorizationContext { get; private set; }
        public ISessionManager SessionManager { get; private set; }
        public INetworkManager NetworkManager { get; private set; }

        /// <summary>
        /// Redirect the client to a specific URL if authentication failed.
        /// If this property is null, simply `401 Unauthorized` is returned.
        /// </summary>
        public string HtmlRedirect { get; set; }

        public void Authenticate(IRequest request, IAuthenticationAttributes authAttribtues)
        {
            ValidateUser(request, authAttribtues);
        }

        private void ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)
        {
            // This code is executed before the service
            var auth = AuthorizationContext.GetAuthorizationInfo(request);

            if (!IsExemptFromAuthenticationToken(auth, authAttribtues, request))
            {
                ValidateSecurityToken(request, auth.Token);
            }

            if (authAttribtues.AllowLocalOnly && !request.IsLocal)
            {
                throw new SecurityException("Operation not found.");
            }

            var user = auth.User;

            if (user == null & !auth.UserId.Equals(Guid.Empty))
            {
                throw new SecurityException("User with Id " + auth.UserId + " not found");
            }

            if (user != null)
            {
                ValidateUserAccess(user, request, authAttribtues, auth);
            }

            var info = GetTokenInfo(request);

            if (!IsExemptFromRoles(auth, authAttribtues, request, info))
            {
                var roles = authAttribtues.GetRoles();

                ValidateRoles(roles, user);
            }

            if (!string.IsNullOrEmpty(auth.DeviceId) &&
                !string.IsNullOrEmpty(auth.Client) &&
                !string.IsNullOrEmpty(auth.Device))
            {
                SessionManager.LogSessionActivity(auth.Client,
                    auth.Version,
                    auth.DeviceId,
                    auth.Device,
                    request.RemoteIp,
                    user);
            }
        }

        private void ValidateUserAccess(User user, IRequest request,
            IAuthenticationAttributes authAttribtues,
            AuthorizationInfo auth)
        {
            if (user.Policy.IsDisabled)
            {
                throw new SecurityException("User account has been disabled.")
                {
                    SecurityExceptionType = SecurityExceptionType.Unauthenticated
                };
            }

            if (!user.Policy.EnableRemoteAccess && !NetworkManager.IsInLocalNetwork(request.RemoteIp))
            {
                throw new SecurityException("User account has been disabled.")
                {
                    SecurityExceptionType = SecurityExceptionType.Unauthenticated
                };
            }

            if (!user.Policy.IsAdministrator &&
                !authAttribtues.EscapeParentalControl &&
                !user.IsParentalScheduleAllowed())
            {
                request.Response.AddHeader("X-Application-Error-Code", "ParentalControl");

                throw new SecurityException("This user account is not allowed access at this time.")
                {
                    SecurityExceptionType = SecurityExceptionType.ParentalControl
                };
            }
        }

        private bool IsExemptFromAuthenticationToken(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request)
        {
            if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
            {
                return true;
            }

            if (authAttribtues.AllowLocal && request.IsLocal)
            {
                return true;
            }
            if (authAttribtues.AllowLocalOnly && request.IsLocal)
            {
                return true;
            }

            return false;
        }

        private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)
        {
            if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
            {
                return true;
            }

            if (authAttribtues.AllowLocal && request.IsLocal)
            {
                return true;
            }

            if (authAttribtues.AllowLocalOnly && request.IsLocal)
            {
                return true;
            }

            if (string.IsNullOrEmpty(auth.Token))
            {
                return true;
            }

            if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))
            {
                return true;
            }

            return false;
        }

        private static void ValidateRoles(string[] roles, User user)
        {
            if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.Policy.IsAdministrator)
                {
                    throw new SecurityException("User does not have admin access.")
                    {
                        SecurityExceptionType = SecurityExceptionType.Unauthenticated
                    };
                }
            }
            if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.Policy.EnableContentDeletion)
                {
                    throw new SecurityException("User does not have delete access.")
                    {
                        SecurityExceptionType = SecurityExceptionType.Unauthenticated
                    };
                }
            }
            if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.Policy.EnableContentDownloading)
                {
                    throw new SecurityException("User does not have download access.")
                    {
                        SecurityExceptionType = SecurityExceptionType.Unauthenticated
                    };
                }
            }
        }

        private static AuthenticationInfo GetTokenInfo(IRequest request)
        {
            object info;
            request.Items.TryGetValue("OriginalAuthenticationInfo", out info);
            return info as AuthenticationInfo;
        }

        private void ValidateSecurityToken(IRequest request, string token)
        {
            if (string.IsNullOrEmpty(token))
            {
                throw new SecurityException("Access token is required.");
            }

            var info = GetTokenInfo(request);

            if (info == null)
            {
                throw new SecurityException("Access token is invalid or expired.");
            }

            //if (!string.IsNullOrEmpty(info.UserId))
            //{
            //    var user = _userManager.GetUserById(info.UserId);

            //    if (user == null || user.Configuration.IsDisabled)
            //    {
            //        throw new SecurityException("User account has been disabled.");
            //    }
            //}
        }
    }
}
Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 20:50:43 +00:00			`using MediaBrowser.Controller.Configuration;`
upgrade to jquery mobile 1.4.5 2014-11-03 03:38:43 +00:00			`using MediaBrowser.Controller.Connect;`
enable user device access 2014-12-29 20:18:48 +00:00			`using MediaBrowser.Controller.Devices;`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`using MediaBrowser.Controller.Entities;`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00			`using MediaBrowser.Controller.Library;`
			`using MediaBrowser.Controller.Net;`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`using MediaBrowser.Controller.Security;`
updated service stack 2014-11-15 15:51:49 +00:00			`using MediaBrowser.Controller.Session;`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`using System;`
			`using System.Linq;`
update request classes 2017-09-03 18:38:26 +00:00			`using MediaBrowser.Model.Services;`
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`using MediaBrowser.Common.Net;`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00
move classes 2016-11-04 01:18:51 +00:00			`namespace Emby.Server.Implementations.HttpServer.Security`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`{`
			`public class AuthService : IAuthService`
			`{`
completed auth database 2014-07-08 01:41:03 +00:00			`private readonly IServerConfigurationManager _config;`

Add GPL modules 2018-12-27 23:27:57 +00:00			`public AuthService(IUserManager userManager, IAuthorizationContext authorizationContext, IServerConfigurationManager config, ISessionManager sessionManager, INetworkManager networkManager)`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00			`{`
			`AuthorizationContext = authorizationContext;`
completed auth database 2014-07-08 01:41:03 +00:00			`_config = config;`
updated service stack 2014-11-15 15:51:49 +00:00			`SessionManager = sessionManager;`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00			`UserManager = userManager;`
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`NetworkManager = networkManager;`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00			`}`

			`public IUserManager UserManager { get; private set; }`
			`public IAuthorizationContext AuthorizationContext { get; private set; }`
updated service stack 2014-11-15 15:51:49 +00:00			`public ISessionManager SessionManager { get; private set; }`
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`public INetworkManager NetworkManager { get; private set; }`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`/// <summary>`
			`/// Redirect the client to a specific URL if authentication failed.`
			/// If this property is null, simply `401 Unauthorized` is returned.
			`/// </summary>`
			`public string HtmlRedirect { get; set; }`

Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`public void Authenticate(IRequest request, IAuthenticationAttributes authAttribtues)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`{`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`ValidateUser(request, authAttribtues);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`private void ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`{`
remove mono compiler directives 2014-10-06 23:58:46 +00:00			`// This code is executed before the service`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`var auth = AuthorizationContext.GetAuthorizationInfo(request);`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00
update request classes 2017-09-03 18:38:26 +00:00			`if (!IsExemptFromAuthenticationToken(auth, authAttribtues, request))`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00			`{`
Remove Emby.Server.Connect 2018-12-11 00:27:54 +00:00			`ValidateSecurityToken(request, auth.Token);`
completed auth database 2014-07-08 01:41:03 +00:00			`}`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`if (authAttribtues.AllowLocalOnly && !request.IsLocal)`
			`{`
			`throw new SecurityException("Operation not found.");`
			`}`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`var user = auth.User;`

			`if (user == null & !auth.UserId.Equals(Guid.Empty))`
fix ipad login issue 2014-07-15 01:25:58 +00:00			`{`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`throw new SecurityException("User with Id " + auth.UserId + " not found");`
fix ipad login issue 2014-07-15 01:25:58 +00:00			`}`

fixes #552 - Add parental control usage limits 2014-10-15 00:05:09 +00:00			`if (user != null)`
completed auth database 2014-07-08 01:41:03 +00:00			`{`
enable user device access 2014-12-29 20:18:48 +00:00			`ValidateUserAccess(user, request, authAttribtues, auth);`
run all ajax through apiclient 2014-07-02 05:16:59 +00:00			`}`
completed auth database 2014-07-08 01:41:03 +00:00
update dlna profiles 2015-02-07 03:25:23 +00:00			`var info = GetTokenInfo(request);`
fixes #1001 - Support downloading 2015-02-06 05:39:07 +00:00
update request classes 2017-09-03 18:38:26 +00:00			`if (!IsExemptFromRoles(auth, authAttribtues, request, info))`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`{`
3.2.30.3 2017-08-30 18:52:29 +00:00			`var roles = authAttribtues.GetRoles();`
revise endpoint attributes 2014-11-15 02:31:03 +00:00
			`ValidateRoles(roles, user);`
			`}`
updated service stack 2014-11-15 15:51:49 +00:00
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`if (!string.IsNullOrEmpty(auth.DeviceId) &&`
			`!string.IsNullOrEmpty(auth.Client) &&`
			`!string.IsNullOrEmpty(auth.Device))`
updated service stack 2014-11-15 15:51:49 +00:00			`{`
			`SessionManager.LogSessionActivity(auth.Client,`
			`auth.Version,`
			`auth.DeviceId,`
			`auth.Device,`
			`request.RemoteIp,`
			`user);`
			`}`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`}`

update request classes 2017-09-03 18:38:26 +00:00			`private void ValidateUserAccess(User user, IRequest request,`
enable user device access 2014-12-29 20:18:48 +00:00			`IAuthenticationAttributes authAttribtues,`
			`AuthorizationInfo auth)`
			`{`
			`if (user.Policy.IsDisabled)`
			`{`
			`throw new SecurityException("User account has been disabled.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`if (!user.Policy.EnableRemoteAccess && !NetworkManager.IsInLocalNetwork(request.RemoteIp))`
			`{`
			`throw new SecurityException("User account has been disabled.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`

enable user device access 2014-12-29 20:18:48 +00:00			`if (!user.Policy.IsAdministrator &&`
			`!authAttribtues.EscapeParentalControl &&`
			`!user.IsParentalScheduleAllowed())`
			`{`
update request classes 2017-09-03 18:38:26 +00:00			`request.Response.AddHeader("X-Application-Error-Code", "ParentalControl");`
enable user device access 2014-12-29 20:18:48 +00:00
			`throw new SecurityException("This user account is not allowed access at this time.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.ParentalControl`
			`};`
			`}`
			`}`

update request classes 2017-09-03 18:38:26 +00:00			`private bool IsExemptFromAuthenticationToken(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request)`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`{`
update authentication 2016-02-18 18:27:46 +00:00			`if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`{`
			`return true;`
			`}`

update request classes 2017-09-03 18:38:26 +00:00			`if (authAttribtues.AllowLocal && request.IsLocal)`
			`{`
			`return true;`
			`}`
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`if (authAttribtues.AllowLocalOnly && request.IsLocal)`
			`{`
			`return true;`
			`}`
update request classes 2017-09-03 18:38:26 +00:00
update authentication 2016-02-18 18:27:46 +00:00			`return false;`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`}`

update request classes 2017-09-03 18:38:26 +00:00			`private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`{`
update authentication 2016-02-18 18:27:46 +00:00			`if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`{`
			`return true;`
			`}`

update request classes 2017-09-03 18:38:26 +00:00			`if (authAttribtues.AllowLocal && request.IsLocal)`
			`{`
			`return true;`
			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`if (authAttribtues.AllowLocalOnly && request.IsLocal)`
			`{`
			`return true;`
			`}`

			`if (string.IsNullOrEmpty(auth.Token))`
fixes #1001 - Support downloading 2015-02-06 05:39:07 +00:00			`{`
			`return true;`
			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))`
fixes #1001 - Support downloading 2015-02-06 05:39:07 +00:00			`{`
			`return true;`
			`}`

revise endpoint attributes 2014-11-15 02:31:03 +00:00			`return false;`
			`}`
connect updates 2014-10-28 23:17:55 +00:00
Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 20:50:43 +00:00			`private static void ValidateRoles(string[] roles, User user)`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`{`
set roles on connect endpoints 2014-09-14 17:42:23 +00:00			`if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))`
			`{`
start using user policy 2014-12-20 06:06:27 +00:00			`if (user == null \|\| !user.Policy.IsAdministrator)`
set roles on connect endpoints 2014-09-14 17:42:23 +00:00			`{`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`throw new SecurityException("User does not have admin access.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
set roles on connect endpoints 2014-09-14 17:42:23 +00:00			`}`
			`}`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`{`
start using user policy 2014-12-20 06:06:27 +00:00			`if (user == null \|\| !user.Policy.EnableContentDeletion)`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`{`
			`throw new SecurityException("User does not have delete access.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`}`
fixes #1001 - Support downloading 2015-02-06 05:39:07 +00:00			`if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))`
			`{`
			`if (user == null \|\| !user.Policy.EnableContentDownloading)`
			`{`
			`throw new SecurityException("User does not have download access.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`
			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`}`

Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 20:50:43 +00:00			`private static AuthenticationInfo GetTokenInfo(IRequest request)`
update dlna profiles 2015-02-07 03:25:23 +00:00			`{`
			`object info;`
			`request.Items.TryGetValue("OriginalAuthenticationInfo", out info);`
			`return info as AuthenticationInfo;`
			`}`

update request classes 2017-09-03 18:38:26 +00:00			`private void ValidateSecurityToken(IRequest request, string token)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`{`
Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`if (string.IsNullOrEmpty(token))`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`{`
update logging levels 2015-10-04 22:04:56 +00:00			`throw new SecurityException("Access token is required.");`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`}`

update dlna profiles 2015-02-07 03:25:23 +00:00			`var info = GetTokenInfo(request);`
revise endpoint attributes 2014-11-15 02:31:03 +00:00
			`if (info == null)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`{`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`throw new SecurityException("Access token is invalid or expired.");`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 17:26:21 +00:00			`//if (!string.IsNullOrEmpty(info.UserId))`
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`//{`
			`// var user = _userManager.GetUserById(info.UserId);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00
revise endpoint attributes 2014-11-15 02:31:03 +00:00			`// if (user == null \|\| user.Configuration.IsDisabled)`
			`// {`
			`// throw new SecurityException("User account has been disabled.");`
			`// }`
			`//}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-02 04:57:18 +00:00			`}`
			`}`
			`}`