mirror of
https://github.com/jellyfin/jellyfin.git
synced 2025-04-23 21:47:14 -04:00
Change arguments AssertCanUpdateUser to take a user
This commit is contained in:
Bond_009
parent
c831af2fe2
commit
4549337335
4 changed files with 41 additions and 28 deletions
|
|
@ -109,7 +109,7 @@ public class ImageController : BaseJellyfinApiController
|
|||
return NotFound();
|
||||
}
|
||||
|
||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
|
||||
if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the image.");
|
||||
}
|
||||
|
|
@ -203,13 +203,18 @@ public class ImageController : BaseJellyfinApiController
|
|||
[FromQuery] Guid? userId)
|
||||
{
|
||||
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
|
||||
var user = _userManager.GetUserById(requestUserId);
|
||||
if (user is null)
|
||||
{
|
||||
return NotFound();
|
||||
}
|
||||
|
||||
if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to delete the image.");
|
||||
}
|
||||
|
||||
var user = _userManager.GetUserById(requestUserId);
|
||||
if (user?.ProfileImage is null)
|
||||
if (user.ProfileImage is null)
|
||||
{
|
||||
return NoContent();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -972,12 +972,17 @@ public class ItemsController : BaseJellyfinApiController
|
|||
[FromRoute, Required] Guid itemId)
|
||||
{
|
||||
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
||||
var user = _userManager.GetUserById(requestUserId);
|
||||
if (user is null)
|
||||
{
|
||||
return NotFound();
|
||||
}
|
||||
|
||||
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
|
||||
}
|
||||
|
||||
var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
|
||||
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
|
||||
if (item is null)
|
||||
{
|
||||
|
|
@ -1023,12 +1028,17 @@ public class ItemsController : BaseJellyfinApiController
|
|||
[FromBody, Required] UpdateUserItemDataDto userDataDto)
|
||||
{
|
||||
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
||||
var user = _userManager.GetUserById(requestUserId);
|
||||
if (user is null)
|
||||
{
|
||||
return NotFound();
|
||||
}
|
||||
|
||||
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update this item user data.");
|
||||
}
|
||||
|
||||
var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
|
||||
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
|
||||
if (item is null)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -274,16 +274,15 @@ public class UserController : BaseJellyfinApiController
|
|||
[FromBody, Required] UpdateUserPassword request)
|
||||
{
|
||||
var requestUserId = userId ?? User.GetUserId();
|
||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
|
||||
}
|
||||
|
||||
var user = _userManager.GetUserById(requestUserId);
|
||||
|
||||
if (user is null)
|
||||
{
|
||||
return NotFound("User not found");
|
||||
return NotFound();
|
||||
}
|
||||
|
||||
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
|
||||
}
|
||||
|
||||
if (request.ResetPassword)
|
||||
|
|
@ -386,7 +385,7 @@ public class UserController : BaseJellyfinApiController
|
|||
return NotFound();
|
||||
}
|
||||
|
||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
||||
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
|
||||
}
|
||||
|
|
@ -396,7 +395,7 @@ public class UserController : BaseJellyfinApiController
|
|||
await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
|
||||
}
|
||||
|
||||
await _userManager.UpdateConfigurationAsync(user.Id, updateUser.Configuration).ConfigureAwait(false);
|
||||
await _userManager.UpdateConfigurationAsync(requestUserId, updateUser.Configuration).ConfigureAwait(false);
|
||||
|
||||
return NoContent();
|
||||
}
|
||||
|
|
@ -495,7 +494,13 @@ public class UserController : BaseJellyfinApiController
|
|||
[FromBody, Required] UserConfiguration userConfig)
|
||||
{
|
||||
var requestUserId = userId ?? User.GetUserId();
|
||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
||||
var user = _userManager.GetUserById(requestUserId);
|
||||
if (user is null)
|
||||
{
|
||||
return NotFound();
|
||||
}
|
||||
|
||||
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||
{
|
||||
return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
|
||||
}
|
||||
|
|
|
|||
|
|
@ -86,18 +86,17 @@ public static class RequestHelpers
|
|||
/// <summary>
|
||||
/// Checks if the user can update an entry.
|
||||
/// </summary>
|
||||
/// <param name="userManager">An instance of the <see cref="IUserManager"/> interface.</param>
|
||||
/// <param name="claimsPrincipal">The <see cref="ClaimsPrincipal"/> for the current request.</param>
|
||||
/// <param name="userId">The user id.</param>
|
||||
/// <param name="user">The user id.</param>
|
||||
/// <param name="restrictUserPreferences">Whether to restrict the user preferences.</param>
|
||||
/// <returns>A <see cref="bool"/> whether the user can update the entry.</returns>
|
||||
internal static bool AssertCanUpdateUser(IUserManager userManager, ClaimsPrincipal claimsPrincipal, Guid userId, bool restrictUserPreferences)
|
||||
internal static bool AssertCanUpdateUser(ClaimsPrincipal claimsPrincipal, User user, bool restrictUserPreferences)
|
||||
{
|
||||
var authenticatedUserId = claimsPrincipal.GetUserId();
|
||||
var isAdministrator = claimsPrincipal.IsInRole(UserRoles.Administrator);
|
||||
|
||||
// If they're going to update the record of another user, they must be an administrator
|
||||
if (!userId.Equals(authenticatedUserId) && !isAdministrator)
|
||||
if (!user.Id.Equals(authenticatedUserId) && !isAdministrator)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
|
@ -108,12 +107,6 @@ public static class RequestHelpers
|
|||
return true;
|
||||
}
|
||||
|
||||
var user = userManager.GetUserById(userId);
|
||||
if (user is null)
|
||||
{
|
||||
throw new ResourceNotFoundException();
|
||||
}
|
||||
|
||||
return user.EnableUserPreferenceAccess;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue