set roles on connect endpoints
This commit is contained in:
parent
14bb0aa30c
commit
9991360d8a
|
@ -1,7 +1,7 @@
|
||||||
using System.Threading.Tasks;
|
using MediaBrowser.Controller.Connect;
|
||||||
using MediaBrowser.Controller.Connect;
|
|
||||||
using MediaBrowser.Controller.Net;
|
using MediaBrowser.Controller.Net;
|
||||||
using ServiceStack;
|
using ServiceStack;
|
||||||
|
using System.Threading.Tasks;
|
||||||
|
|
||||||
namespace MediaBrowser.Api
|
namespace MediaBrowser.Api
|
||||||
{
|
{
|
||||||
|
@ -29,7 +29,7 @@ namespace MediaBrowser.Api
|
||||||
public string Id { get; set; }
|
public string Id { get; set; }
|
||||||
}
|
}
|
||||||
|
|
||||||
[Authenticated]
|
[Authenticated(Roles = "Admin")]
|
||||||
public class ConnectService : BaseApiService
|
public class ConnectService : BaseApiService
|
||||||
{
|
{
|
||||||
private readonly IConnectManager _connectManager;
|
private readonly IConnectManager _connectManager;
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
using ServiceStack.Web;
|
using ServiceStack.Web;
|
||||||
using System;
|
using System;
|
||||||
|
using System.Linq;
|
||||||
|
|
||||||
namespace MediaBrowser.Controller.Net
|
namespace MediaBrowser.Controller.Net
|
||||||
{
|
{
|
||||||
|
@ -13,6 +14,8 @@ namespace MediaBrowser.Controller.Net
|
||||||
/// <value><c>true</c> if [allow local]; otherwise, <c>false</c>.</value>
|
/// <value><c>true</c> if [allow local]; otherwise, <c>false</c>.</value>
|
||||||
public bool AllowLocal { get; set; }
|
public bool AllowLocal { get; set; }
|
||||||
|
|
||||||
|
public string Roles { get; set; }
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// The request filter is executed before the service.
|
/// The request filter is executed before the service.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
|
@ -21,7 +24,11 @@ namespace MediaBrowser.Controller.Net
|
||||||
/// <param name="requestDto">The request DTO</param>
|
/// <param name="requestDto">The request DTO</param>
|
||||||
public void RequestFilter(IRequest request, IResponse response, object requestDto)
|
public void RequestFilter(IRequest request, IResponse response, object requestDto)
|
||||||
{
|
{
|
||||||
AuthService.Authenticate(request, response, requestDto, AllowLocal);
|
var roles = (Roles ?? string.Empty).Split(',')
|
||||||
|
.Where(i => !string.IsNullOrWhiteSpace(i))
|
||||||
|
.ToArray();
|
||||||
|
|
||||||
|
AuthService.Authenticate(request, response, requestDto, AllowLocal, roles);
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
using ServiceStack.Web;
|
using ServiceStack.Web;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
|
||||||
namespace MediaBrowser.Controller.Net
|
namespace MediaBrowser.Controller.Net
|
||||||
{
|
{
|
||||||
public interface IAuthService
|
public interface IAuthService
|
||||||
{
|
{
|
||||||
void Authenticate(IRequest request, IResponse response, object requestDto, bool allowLocal);
|
void Authenticate(IRequest request,
|
||||||
|
IResponse response,
|
||||||
|
object requestDto,
|
||||||
|
bool allowLocal,
|
||||||
|
string[] roles);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -175,7 +175,7 @@ namespace MediaBrowser.Model.Configuration
|
||||||
|
|
||||||
public PeopleMetadataOptions PeopleMetadataOptions { get; set; }
|
public PeopleMetadataOptions PeopleMetadataOptions { get; set; }
|
||||||
|
|
||||||
public string[] SecureApps1 { get; set; }
|
public string[] SecureApps2 { get; set; }
|
||||||
|
|
||||||
public bool SaveMetadataHidden { get; set; }
|
public bool SaveMetadataHidden { get; set; }
|
||||||
|
|
||||||
|
@ -223,7 +223,7 @@ namespace MediaBrowser.Model.Configuration
|
||||||
|
|
||||||
PeopleMetadataOptions = new PeopleMetadataOptions();
|
PeopleMetadataOptions = new PeopleMetadataOptions();
|
||||||
|
|
||||||
SecureApps1 = new[]
|
SecureApps2 = new[]
|
||||||
{
|
{
|
||||||
"Dashboard",
|
"Dashboard",
|
||||||
"MBKinect",
|
"MBKinect",
|
||||||
|
@ -231,7 +231,7 @@ namespace MediaBrowser.Model.Configuration
|
||||||
"Media Browser Theater",
|
"Media Browser Theater",
|
||||||
|
|
||||||
//"Chrome Companion",
|
//"Chrome Companion",
|
||||||
//"MB-Classic"
|
"MB-Classic"
|
||||||
};
|
};
|
||||||
|
|
||||||
MetadataOptions = new[]
|
MetadataOptions = new[]
|
||||||
|
|
|
@ -1,5 +1,4 @@
|
||||||
using System.Collections.Generic;
|
using MediaBrowser.Controller.Configuration;
|
||||||
using MediaBrowser.Controller.Configuration;
|
|
||||||
using MediaBrowser.Controller.Library;
|
using MediaBrowser.Controller.Library;
|
||||||
using MediaBrowser.Controller.Net;
|
using MediaBrowser.Controller.Net;
|
||||||
using MediaBrowser.Controller.Session;
|
using MediaBrowser.Controller.Session;
|
||||||
|
@ -42,24 +41,29 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
|
||||||
/// </summary>
|
/// </summary>
|
||||||
public string HtmlRedirect { get; set; }
|
public string HtmlRedirect { get; set; }
|
||||||
|
|
||||||
public void Authenticate(IRequest req, IResponse res, object requestDto, bool allowLocal)
|
public void Authenticate(IRequest request,
|
||||||
|
IResponse response,
|
||||||
|
object requestDto,
|
||||||
|
bool allowLocal,
|
||||||
|
string[] roles)
|
||||||
{
|
{
|
||||||
if (HostContext.HasValidAuthSecret(req))
|
if (HostContext.HasValidAuthSecret(request))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
//ExecuteBasic(req, res, requestDto); //first check if session is authenticated
|
//ExecuteBasic(req, res, requestDto); //first check if session is authenticated
|
||||||
//if (res.IsClosed) return; //AuthenticateAttribute already closed the request (ie auth failed)
|
//if (res.IsClosed) return; //AuthenticateAttribute already closed the request (ie auth failed)
|
||||||
|
|
||||||
ValidateUser(req, allowLocal);
|
ValidateUser(request, allowLocal, roles);
|
||||||
}
|
}
|
||||||
|
|
||||||
private void ValidateUser(IRequest req, bool allowLocal)
|
private void ValidateUser(IRequest req, bool allowLocal,
|
||||||
|
string[] roles)
|
||||||
{
|
{
|
||||||
//This code is executed before the service
|
//This code is executed before the service
|
||||||
var auth = AuthorizationContext.GetAuthorizationInfo(req);
|
var auth = AuthorizationContext.GetAuthorizationInfo(req);
|
||||||
|
|
||||||
if (!string.IsNullOrWhiteSpace(auth.Token)
|
if (!string.IsNullOrWhiteSpace(auth.Token)
|
||||||
|| _config.Configuration.SecureApps1.Contains(auth.Client ?? string.Empty, StringComparer.OrdinalIgnoreCase))
|
|| _config.Configuration.SecureApps2.Contains(auth.Client ?? string.Empty, StringComparer.OrdinalIgnoreCase))
|
||||||
{
|
{
|
||||||
if (!allowLocal || !req.IsLocal)
|
if (!allowLocal || !req.IsLocal)
|
||||||
{
|
{
|
||||||
|
@ -73,8 +77,7 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
|
||||||
|
|
||||||
if (user == null & !string.IsNullOrWhiteSpace(auth.UserId))
|
if (user == null & !string.IsNullOrWhiteSpace(auth.UserId))
|
||||||
{
|
{
|
||||||
// TODO: Re-enable
|
throw new ArgumentException("User with Id " + auth.UserId + " not found");
|
||||||
//throw new ArgumentException("User with Id " + auth.UserId + " not found");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (user != null && user.Configuration.IsDisabled)
|
if (user != null && user.Configuration.IsDisabled)
|
||||||
|
@ -82,6 +85,14 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
|
||||||
throw new AuthenticationException("User account has been disabled.");
|
throw new AuthenticationException("User account has been disabled.");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
|
||||||
|
{
|
||||||
|
if (user == null || !user.Configuration.IsAdministrator)
|
||||||
|
{
|
||||||
|
throw new ArgumentException("Administrative access is required for this request.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!string.IsNullOrWhiteSpace(auth.DeviceId) &&
|
if (!string.IsNullOrWhiteSpace(auth.DeviceId) &&
|
||||||
!string.IsNullOrWhiteSpace(auth.Client) &&
|
!string.IsNullOrWhiteSpace(auth.Client) &&
|
||||||
!string.IsNullOrWhiteSpace(auth.Device))
|
!string.IsNullOrWhiteSpace(auth.Device))
|
||||||
|
|
Loading…
Reference in New Issue
Block a user