mirror of
https://github.com/jellyfin/jellyfin.git
synced 2025-06-03 13:44:22 -04:00
Fix get sessions with api key (#12696)
This commit is contained in:
gnattu
GitHub
parent
38d0b004ba
commit
75bbd30296
@ -1858,15 +1858,38 @@ namespace Emby.Server.Implementations.Session
|
|||||||
Guid userId,
|
Guid userId,
|
||||||
string deviceId,
|
string deviceId,
|
||||||
int? activeWithinSeconds,
|
int? activeWithinSeconds,
|
||||||
Guid? controllableUserToCheck)
|
Guid? controllableUserToCheck,
|
||||||
|
bool isApiKey)
|
||||||
{
|
{
|
||||||
var result = Sessions;
|
var result = Sessions;
|
||||||
var user = _userManager.GetUserById(userId);
|
|
||||||
if (!string.IsNullOrEmpty(deviceId))
|
if (!string.IsNullOrEmpty(deviceId))
|
||||||
{
|
{
|
||||||
result = result.Where(i => string.Equals(i.DeviceId, deviceId, StringComparison.OrdinalIgnoreCase));
|
result = result.Where(i => string.Equals(i.DeviceId, deviceId, StringComparison.OrdinalIgnoreCase));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var userCanControlOthers = false;
|
||||||
|
var userIsAdmin = false;
|
||||||
|
User user = null;
|
||||||
|
|
||||||
|
if (isApiKey)
|
||||||
|
{
|
||||||
|
userCanControlOthers = true;
|
||||||
|
userIsAdmin = true;
|
||||||
|
}
|
||||||
|
else if (!userId.IsEmpty())
|
||||||
|
{
|
||||||
|
user = _userManager.GetUserById(userId);
|
||||||
|
if (user is not null)
|
||||||
|
{
|
||||||
|
userCanControlOthers = user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers);
|
||||||
|
userIsAdmin = user.HasPermission(PermissionKind.IsAdministrator);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
return [];
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (!controllableUserToCheck.IsNullOrEmpty())
|
if (!controllableUserToCheck.IsNullOrEmpty())
|
||||||
{
|
{
|
||||||
result = result.Where(i => i.SupportsRemoteControl);
|
result = result.Where(i => i.SupportsRemoteControl);
|
||||||
@ -1883,29 +1906,34 @@ namespace Emby.Server.Implementations.Session
|
|||||||
result = result.Where(i => !i.UserId.IsEmpty());
|
result = result.Where(i => !i.UserId.IsEmpty());
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
|
if (!userCanControlOthers)
|
||||||
{
|
{
|
||||||
// User cannot control other user's sessions, validate user id.
|
// User cannot control other user's sessions, validate user id.
|
||||||
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(user.Id));
|
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
|
||||||
}
|
}
|
||||||
|
|
||||||
result = result.Where(i =>
|
result = result.Where(i =>
|
||||||
{
|
{
|
||||||
if (!string.IsNullOrWhiteSpace(i.DeviceId) && !_deviceManager.CanAccessDevice(user, i.DeviceId))
|
if (isApiKey)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (user is null)
|
||||||
{
|
{
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
return true;
|
return string.IsNullOrWhiteSpace(i.DeviceId) || _deviceManager.CanAccessDevice(user, i.DeviceId);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
else if (!user.HasPermission(PermissionKind.IsAdministrator))
|
else if (!userIsAdmin)
|
||||||
{
|
{
|
||||||
// Request isn't from administrator, limit to "own" sessions.
|
// Request isn't from administrator, limit to "own" sessions.
|
||||||
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
|
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!user.HasPermission(PermissionKind.IsAdministrator))
|
if (!userIsAdmin)
|
||||||
{
|
{
|
||||||
// Don't report acceleration type for non-admin users.
|
// Don't report acceleration type for non-admin users.
|
||||||
result = result.Select(r =>
|
result = result.Select(r =>
|
||||||
|
|||||||
@ -62,7 +62,8 @@ public class SessionController : BaseJellyfinApiController
|
|||||||
User.GetUserId(),
|
User.GetUserId(),
|
||||||
deviceId,
|
deviceId,
|
||||||
activeWithinSeconds,
|
activeWithinSeconds,
|
||||||
controllableUserToCheck);
|
controllableUserToCheck,
|
||||||
|
User.GetIsApiKey());
|
||||||
|
|
||||||
return Ok(result);
|
return Ok(result);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -300,8 +300,9 @@ namespace MediaBrowser.Controller.Session
|
|||||||
/// <param name="deviceId">The device id.</param>
|
/// <param name="deviceId">The device id.</param>
|
||||||
/// <param name="activeWithinSeconds">Active within session limit.</param>
|
/// <param name="activeWithinSeconds">Active within session limit.</param>
|
||||||
/// <param name="controllableUserToCheck">Filter for sessions remote controllable for this user.</param>
|
/// <param name="controllableUserToCheck">Filter for sessions remote controllable for this user.</param>
|
||||||
|
/// <param name="isApiKey">Is the request authenticated with API key.</param>
|
||||||
/// <returns>IReadOnlyList{SessionInfoDto}.</returns>
|
/// <returns>IReadOnlyList{SessionInfoDto}.</returns>
|
||||||
IReadOnlyList<SessionInfoDto> GetSessions(Guid userId, string deviceId, int? activeWithinSeconds, Guid? controllableUserToCheck);
|
IReadOnlyList<SessionInfoDto> GetSessions(Guid userId, string deviceId, int? activeWithinSeconds, Guid? controllableUserToCheck, bool isApiKey);
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Gets the session by authentication token.
|
/// Gets the session by authentication token.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user