mirror of
https://github.com/jellyfin/jellyfin.git
synced 2025-07-09 03:04:24 -04:00
Change arguments AssertCanUpdateUser to take a user
This commit is contained in:
Bond_009
parent
c831af2fe2
commit
4549337335
@ -109,7 +109,7 @@ public class ImageController : BaseJellyfinApiController
|
|||||||
return NotFound();
|
return NotFound();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
|
if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
|
||||||
{
|
{
|
||||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the image.");
|
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the image.");
|
||||||
}
|
}
|
||||||
@ -203,13 +203,18 @@ public class ImageController : BaseJellyfinApiController
|
|||||||
[FromQuery] Guid? userId)
|
[FromQuery] Guid? userId)
|
||||||
{
|
{
|
||||||
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
||||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
|
var user = _userManager.GetUserById(requestUserId);
|
||||||
|
if (user is null)
|
||||||
|
{
|
||||||
|
return NotFound();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
|
||||||
{
|
{
|
||||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to delete the image.");
|
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to delete the image.");
|
||||||
}
|
}
|
||||||
|
|
||||||
var user = _userManager.GetUserById(requestUserId);
|
if (user.ProfileImage is null)
|
||||||
if (user?.ProfileImage is null)
|
|
||||||
{
|
{
|
||||||
return NoContent();
|
return NoContent();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -972,12 +972,17 @@ public class ItemsController : BaseJellyfinApiController
|
|||||||
[FromRoute, Required] Guid itemId)
|
[FromRoute, Required] Guid itemId)
|
||||||
{
|
{
|
||||||
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
||||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
var user = _userManager.GetUserById(requestUserId);
|
||||||
|
if (user is null)
|
||||||
|
{
|
||||||
|
return NotFound();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||||
{
|
{
|
||||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
|
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
|
||||||
}
|
}
|
||||||
|
|
||||||
var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
|
|
||||||
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
|
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
|
||||||
if (item is null)
|
if (item is null)
|
||||||
{
|
{
|
||||||
@ -1023,12 +1028,17 @@ public class ItemsController : BaseJellyfinApiController
|
|||||||
[FromBody, Required] UpdateUserItemDataDto userDataDto)
|
[FromBody, Required] UpdateUserItemDataDto userDataDto)
|
||||||
{
|
{
|
||||||
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
var requestUserId = RequestHelpers.GetUserId(User, userId);
|
||||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
var user = _userManager.GetUserById(requestUserId);
|
||||||
|
if (user is null)
|
||||||
|
{
|
||||||
|
return NotFound();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||||
{
|
{
|
||||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update this item user data.");
|
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update this item user data.");
|
||||||
}
|
}
|
||||||
|
|
||||||
var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
|
|
||||||
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
|
var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
|
||||||
if (item is null)
|
if (item is null)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -274,16 +274,15 @@ public class UserController : BaseJellyfinApiController
|
|||||||
[FromBody, Required] UpdateUserPassword request)
|
[FromBody, Required] UpdateUserPassword request)
|
||||||
{
|
{
|
||||||
var requestUserId = userId ?? User.GetUserId();
|
var requestUserId = userId ?? User.GetUserId();
|
||||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
|
||||||
{
|
|
||||||
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
|
|
||||||
}
|
|
||||||
|
|
||||||
var user = _userManager.GetUserById(requestUserId);
|
var user = _userManager.GetUserById(requestUserId);
|
||||||
|
|
||||||
if (user is null)
|
if (user is null)
|
||||||
{
|
{
|
||||||
return NotFound("User not found");
|
return NotFound();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||||
|
{
|
||||||
|
return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (request.ResetPassword)
|
if (request.ResetPassword)
|
||||||
@ -386,7 +385,7 @@ public class UserController : BaseJellyfinApiController
|
|||||||
return NotFound();
|
return NotFound();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||||
{
|
{
|
||||||
return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
|
return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
|
||||||
}
|
}
|
||||||
@ -396,7 +395,7 @@ public class UserController : BaseJellyfinApiController
|
|||||||
await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
|
await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
|
||||||
}
|
}
|
||||||
|
|
||||||
await _userManager.UpdateConfigurationAsync(user.Id, updateUser.Configuration).ConfigureAwait(false);
|
await _userManager.UpdateConfigurationAsync(requestUserId, updateUser.Configuration).ConfigureAwait(false);
|
||||||
|
|
||||||
return NoContent();
|
return NoContent();
|
||||||
}
|
}
|
||||||
@ -495,7 +494,13 @@ public class UserController : BaseJellyfinApiController
|
|||||||
[FromBody, Required] UserConfiguration userConfig)
|
[FromBody, Required] UserConfiguration userConfig)
|
||||||
{
|
{
|
||||||
var requestUserId = userId ?? User.GetUserId();
|
var requestUserId = userId ?? User.GetUserId();
|
||||||
if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
|
var user = _userManager.GetUserById(requestUserId);
|
||||||
|
if (user is null)
|
||||||
|
{
|
||||||
|
return NotFound();
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
|
||||||
{
|
{
|
||||||
return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
|
return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
|
||||||
}
|
}
|
||||||
|
|||||||
@ -86,18 +86,17 @@ public static class RequestHelpers
|
|||||||
/// <summary>
|
/// <summary>
|
||||||
/// Checks if the user can update an entry.
|
/// Checks if the user can update an entry.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
/// <param name="userManager">An instance of the <see cref="IUserManager"/> interface.</param>
|
|
||||||
/// <param name="claimsPrincipal">The <see cref="ClaimsPrincipal"/> for the current request.</param>
|
/// <param name="claimsPrincipal">The <see cref="ClaimsPrincipal"/> for the current request.</param>
|
||||||
/// <param name="userId">The user id.</param>
|
/// <param name="user">The user id.</param>
|
||||||
/// <param name="restrictUserPreferences">Whether to restrict the user preferences.</param>
|
/// <param name="restrictUserPreferences">Whether to restrict the user preferences.</param>
|
||||||
/// <returns>A <see cref="bool"/> whether the user can update the entry.</returns>
|
/// <returns>A <see cref="bool"/> whether the user can update the entry.</returns>
|
||||||
internal static bool AssertCanUpdateUser(IUserManager userManager, ClaimsPrincipal claimsPrincipal, Guid userId, bool restrictUserPreferences)
|
internal static bool AssertCanUpdateUser(ClaimsPrincipal claimsPrincipal, User user, bool restrictUserPreferences)
|
||||||
{
|
{
|
||||||
var authenticatedUserId = claimsPrincipal.GetUserId();
|
var authenticatedUserId = claimsPrincipal.GetUserId();
|
||||||
var isAdministrator = claimsPrincipal.IsInRole(UserRoles.Administrator);
|
var isAdministrator = claimsPrincipal.IsInRole(UserRoles.Administrator);
|
||||||
|
|
||||||
// If they're going to update the record of another user, they must be an administrator
|
// If they're going to update the record of another user, they must be an administrator
|
||||||
if (!userId.Equals(authenticatedUserId) && !isAdministrator)
|
if (!user.Id.Equals(authenticatedUserId) && !isAdministrator)
|
||||||
{
|
{
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
@ -108,12 +107,6 @@ public static class RequestHelpers
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
var user = userManager.GetUserById(userId);
|
|
||||||
if (user is null)
|
|
||||||
{
|
|
||||||
throw new ResourceNotFoundException();
|
|
||||||
}
|
|
||||||
|
|
||||||
return user.EnableUserPreferenceAccess;
|
return user.EnableUserPreferenceAccess;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user