github-mirrors/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-04-23 21:47:14 -04:00
Code Issues Projects Releases Packages Wiki Activity

Fix get sessions with api key (#12696)

Browse source
This commit is contained in:
gnattu 2024-09-24 22:15:53 +08:00 committed by GitHub
parent 38d0b004ba
commit 75bbd30296
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 40 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

44
Emby.Server.Implementations/Session/SessionManager.cs
View file

@ -1858,15 +1858,38 @@ namespace Emby.Server.Implementations.Session
Guid userId,
string deviceId,
int? activeWithinSeconds,
Guid? controllableUserToCheck)
Guid? controllableUserToCheck,
bool isApiKey)
{
var result = Sessions;
var user = _userManager.GetUserById(userId);
if (!string.IsNullOrEmpty(deviceId))
{
result = result.Where(i => string.Equals(i.DeviceId, deviceId, StringComparison.OrdinalIgnoreCase));
}
var userCanControlOthers = false;
var userIsAdmin = false;
User user = null;
if (isApiKey)
{
userCanControlOthers = true;
userIsAdmin = true;
}
else if (!userId.IsEmpty())
{
user = _userManager.GetUserById(userId);
if (user is not null)
{
userCanControlOthers = user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers);
userIsAdmin = user.HasPermission(PermissionKind.IsAdministrator);
}
else
{
return [];
}
}
if (!controllableUserToCheck.IsNullOrEmpty())
{
result = result.Where(i => i.SupportsRemoteControl);
@ -1883,29 +1906,34 @@ namespace Emby.Server.Implementations.Session
result = result.Where(i => !i.UserId.IsEmpty());
}
if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
if (!userCanControlOthers)
{
// User cannot control other user's sessions, validate user id.
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(user.Id));
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
}
result = result.Where(i =>
{
if (!string.IsNullOrWhiteSpace(i.DeviceId) && !_deviceManager.CanAccessDevice(user, i.DeviceId))
if (isApiKey)
{
return true;
}
if (user is null)
{
return false;
}
return true;
return string.IsNullOrWhiteSpace(i.DeviceId) || _deviceManager.CanAccessDevice(user, i.DeviceId);
});
}
else if (!user.HasPermission(PermissionKind.IsAdministrator))
else if (!userIsAdmin)
{
// Request isn't from administrator, limit to "own" sessions.
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
}
if (!user.HasPermission(PermissionKind.IsAdministrator))
if (!userIsAdmin)
{
// Don't report acceleration type for non-admin users.
result = result.Select(r =>

3
Jellyfin.Api/Controllers/SessionController.cs
View file

@ -62,7 +62,8 @@ public class SessionController : BaseJellyfinApiController
User.GetUserId(),
deviceId,
activeWithinSeconds,
controllableUserToCheck);
controllableUserToCheck,
User.GetIsApiKey());
return Ok(result);
}

3
MediaBrowser.Controller/Session/ISessionManager.cs
View file

@ -300,8 +300,9 @@ namespace MediaBrowser.Controller.Session
/// <param name="deviceId">The device id.</param>
/// <param name="activeWithinSeconds">Active within session limit.</param>
/// <param name="controllableUserToCheck">Filter for sessions remote controllable for this user.</param>
/// <param name="isApiKey">Is the request authenticated with API key.</param>
/// <returns>IReadOnlyList{SessionInfoDto}.</returns>
IReadOnlyList<SessionInfoDto> GetSessions(Guid userId, string deviceId, int? activeWithinSeconds, Guid? controllableUserToCheck);
IReadOnlyList<SessionInfoDto> GetSessions(Guid userId, string deviceId, int? activeWithinSeconds, Guid? controllableUserToCheck, bool isApiKey);
/// <summary>
/// Gets the session by authentication token.