Fix FirstTimeSetupPolicy allowing guest access (#11651)

This commit is contained in:
Bill Thornton 2024-05-15 09:06:10 -04:00 committed by GitHub
parent 3f760e6685
commit 2cb052a119
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 25 additions and 0 deletions

View File

@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
{
context.Fail();
}
else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
{
context.Fail();
}
else
{
// Any user-specific checks are handled in the DefaultAuthorizationHandler.

View File

@ -69,6 +69,27 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
Assert.Equal(shouldSucceed, context.HasSucceeded);
}
[Theory]
[InlineData(UserRoles.Administrator, true)]
[InlineData(UserRoles.Guest, false)]
[InlineData(UserRoles.User, true)]
public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
{
TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
var claims = TestHelpers.SetupUser(
_userManagerMock,
_httpContextAccessor,
userRole);
var context = new AuthorizationHandlerContext(
new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
claims,
null);
await _firstTimeSetupHandler.HandleAsync(context);
Assert.Equal(shouldSucceed, context.HasSucceeded);
}
[Fact]
public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
{