set roles on connect endpoints

This commit is contained in:
Luke Pulverenti 2014-09-14 13:42:23 -04:00
parent 14bb0aa30c
commit 9991360d8a
5 changed files with 41 additions and 18 deletions

View File

@ -1,7 +1,7 @@
using System.Threading.Tasks; using MediaBrowser.Controller.Connect;
using MediaBrowser.Controller.Connect;
using MediaBrowser.Controller.Net; using MediaBrowser.Controller.Net;
using ServiceStack; using ServiceStack;
using System.Threading.Tasks;
namespace MediaBrowser.Api namespace MediaBrowser.Api
{ {
@ -28,8 +28,8 @@ namespace MediaBrowser.Api
[ApiMember(Name = "Id", Description = "User Id", IsRequired = true, DataType = "string", ParameterType = "query", Verb = "DELETE")] [ApiMember(Name = "Id", Description = "User Id", IsRequired = true, DataType = "string", ParameterType = "query", Verb = "DELETE")]
public string Id { get; set; } public string Id { get; set; }
} }
[Authenticated] [Authenticated(Roles = "Admin")]
public class ConnectService : BaseApiService public class ConnectService : BaseApiService
{ {
private readonly IConnectManager _connectManager; private readonly IConnectManager _connectManager;

View File

@ -1,5 +1,6 @@
using ServiceStack.Web; using ServiceStack.Web;
using System; using System;
using System.Linq;
namespace MediaBrowser.Controller.Net namespace MediaBrowser.Controller.Net
{ {
@ -13,6 +14,8 @@ namespace MediaBrowser.Controller.Net
/// <value><c>true</c> if [allow local]; otherwise, <c>false</c>.</value> /// <value><c>true</c> if [allow local]; otherwise, <c>false</c>.</value>
public bool AllowLocal { get; set; } public bool AllowLocal { get; set; }
public string Roles { get; set; }
/// <summary> /// <summary>
/// The request filter is executed before the service. /// The request filter is executed before the service.
/// </summary> /// </summary>
@ -21,7 +24,11 @@ namespace MediaBrowser.Controller.Net
/// <param name="requestDto">The request DTO</param> /// <param name="requestDto">The request DTO</param>
public void RequestFilter(IRequest request, IResponse response, object requestDto) public void RequestFilter(IRequest request, IResponse response, object requestDto)
{ {
AuthService.Authenticate(request, response, requestDto, AllowLocal); var roles = (Roles ?? string.Empty).Split(',')
.Where(i => !string.IsNullOrWhiteSpace(i))
.ToArray();
AuthService.Authenticate(request, response, requestDto, AllowLocal, roles);
} }
/// <summary> /// <summary>

View File

@ -1,9 +1,14 @@
using ServiceStack.Web; using ServiceStack.Web;
using System.Collections.Generic;
namespace MediaBrowser.Controller.Net namespace MediaBrowser.Controller.Net
{ {
public interface IAuthService public interface IAuthService
{ {
void Authenticate(IRequest request, IResponse response, object requestDto, bool allowLocal); void Authenticate(IRequest request,
IResponse response,
object requestDto,
bool allowLocal,
string[] roles);
} }
} }

View File

@ -175,7 +175,7 @@ namespace MediaBrowser.Model.Configuration
public PeopleMetadataOptions PeopleMetadataOptions { get; set; } public PeopleMetadataOptions PeopleMetadataOptions { get; set; }
public string[] SecureApps1 { get; set; } public string[] SecureApps2 { get; set; }
public bool SaveMetadataHidden { get; set; } public bool SaveMetadataHidden { get; set; }
@ -223,7 +223,7 @@ namespace MediaBrowser.Model.Configuration
PeopleMetadataOptions = new PeopleMetadataOptions(); PeopleMetadataOptions = new PeopleMetadataOptions();
SecureApps1 = new[] SecureApps2 = new[]
{ {
"Dashboard", "Dashboard",
"MBKinect", "MBKinect",
@ -231,7 +231,7 @@ namespace MediaBrowser.Model.Configuration
"Media Browser Theater", "Media Browser Theater",
//"Chrome Companion", //"Chrome Companion",
//"MB-Classic" "MB-Classic"
}; };
MetadataOptions = new[] MetadataOptions = new[]

View File

@ -1,5 +1,4 @@
using System.Collections.Generic; using MediaBrowser.Controller.Configuration;
using MediaBrowser.Controller.Configuration;
using MediaBrowser.Controller.Library; using MediaBrowser.Controller.Library;
using MediaBrowser.Controller.Net; using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Session; using MediaBrowser.Controller.Session;
@ -42,24 +41,29 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
/// </summary> /// </summary>
public string HtmlRedirect { get; set; } public string HtmlRedirect { get; set; }
public void Authenticate(IRequest req, IResponse res, object requestDto, bool allowLocal) public void Authenticate(IRequest request,
IResponse response,
object requestDto,
bool allowLocal,
string[] roles)
{ {
if (HostContext.HasValidAuthSecret(req)) if (HostContext.HasValidAuthSecret(request))
return; return;
//ExecuteBasic(req, res, requestDto); //first check if session is authenticated //ExecuteBasic(req, res, requestDto); //first check if session is authenticated
//if (res.IsClosed) return; //AuthenticateAttribute already closed the request (ie auth failed) //if (res.IsClosed) return; //AuthenticateAttribute already closed the request (ie auth failed)
ValidateUser(req, allowLocal); ValidateUser(request, allowLocal, roles);
} }
private void ValidateUser(IRequest req, bool allowLocal) private void ValidateUser(IRequest req, bool allowLocal,
string[] roles)
{ {
//This code is executed before the service //This code is executed before the service
var auth = AuthorizationContext.GetAuthorizationInfo(req); var auth = AuthorizationContext.GetAuthorizationInfo(req);
if (!string.IsNullOrWhiteSpace(auth.Token) if (!string.IsNullOrWhiteSpace(auth.Token)
|| _config.Configuration.SecureApps1.Contains(auth.Client ?? string.Empty, StringComparer.OrdinalIgnoreCase)) || _config.Configuration.SecureApps2.Contains(auth.Client ?? string.Empty, StringComparer.OrdinalIgnoreCase))
{ {
if (!allowLocal || !req.IsLocal) if (!allowLocal || !req.IsLocal)
{ {
@ -73,8 +77,7 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
if (user == null & !string.IsNullOrWhiteSpace(auth.UserId)) if (user == null & !string.IsNullOrWhiteSpace(auth.UserId))
{ {
// TODO: Re-enable throw new ArgumentException("User with Id " + auth.UserId + " not found");
//throw new ArgumentException("User with Id " + auth.UserId + " not found");
} }
if (user != null && user.Configuration.IsDisabled) if (user != null && user.Configuration.IsDisabled)
@ -82,6 +85,14 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
throw new AuthenticationException("User account has been disabled."); throw new AuthenticationException("User account has been disabled.");
} }
if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
{
if (user == null || !user.Configuration.IsAdministrator)
{
throw new ArgumentException("Administrative access is required for this request.");
}
}
if (!string.IsNullOrWhiteSpace(auth.DeviceId) && if (!string.IsNullOrWhiteSpace(auth.DeviceId) &&
!string.IsNullOrWhiteSpace(auth.Client) && !string.IsNullOrWhiteSpace(auth.Client) &&
!string.IsNullOrWhiteSpace(auth.Device)) !string.IsNullOrWhiteSpace(auth.Device))