michael.heier/jellyfin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Backport pull request #11651 from jellyfin/release-10.9.z

Browse Source 
Fix FirstTimeSetupPolicy allowing guest access

Original-merge: 2cb052a119

Merged-by: crobibero <cody@robibe.ro>

Backported-by: Joshua M. Boniface <joshua@boniface.me>
This commit is contained in:
thornbill 2024-05-17 13:51:44 -04:00 committed by Joshua M. Boniface
parent b063dfd2e3
commit 9a1a588857
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
View File

@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
{
context.Fail();
}
else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
{
context.Fail();
}
else
{
// Any user-specific checks are handled in the DefaultAuthorizationHandler.

21
tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
View File

@ -69,6 +69,27 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
Assert.Equal(shouldSucceed, context.HasSucceeded);
}
[Theory]
[InlineData(UserRoles.Administrator, true)]
[InlineData(UserRoles.Guest, false)]
[InlineData(UserRoles.User, true)]
public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
{
TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
var claims = TestHelpers.SetupUser(
_userManagerMock,
_httpContextAccessor,
userRole);
var context = new AuthorizationHandlerContext(
new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
claims,
null);
await _firstTimeSetupHandler.HandleAsync(context);
Assert.Equal(shouldSucceed, context.HasSucceeded);
}
[Fact]
public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
{