diff --git a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs index 7489e2a35..0f3c69abc 100644 --- a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs +++ b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs @@ -38,13 +38,6 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy /// protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultAuthorizationRequirement requirement) { - // Admins can do everything - if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator)) - { - context.Succeed(requirement); - return Task.CompletedTask; - } - var userId = context.User.GetUserId(); // This likely only happens during the wizard, so skip the default checks and let any other handlers do it if (userId.Equals(default)) @@ -62,6 +55,13 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy return Task.CompletedTask; } + // Admins can do everything + if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator)) + { + context.Succeed(requirement); + return Task.CompletedTask; + } + // It's not great to have this check, but parental schedule must usually be honored except in a few rare cases if (requirement.ValidateParentalSchedule && !user.IsParentalScheduleAllowed()) {