starred/jellyfin-jellyfin-1
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2025-12-16 22:13:06 +03:00
Code Issues Packages Projects Releases Wiki Activity

Validate requested user id (#8812)

Browse Source
This commit is contained in:
Cody Robibero
2023-02-17 15:16:08 -07:00
committed by GitHub
parent 9979b346ea
commit a527034ebe
24 changed files with 232 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
Jellyfin.Api/Controllers/QuickConnectController.cs
View File

@@ -3,6 +3,7 @@ using System.ComponentModel.DataAnnotations;
using System.Threading.Tasks;
using Jellyfin.Api.Constants;
using Jellyfin.Api.Extensions;
using Jellyfin.Api.Helpers;
using MediaBrowser.Common.Extensions;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Net;
@@ -116,17 +117,11 @@ public class QuickConnectController : BaseJellyfinApiController
[ProducesResponseType(StatusCodes.Status403Forbidden)]
public async Task<ActionResult<bool>> AuthorizeQuickConnect([FromQuery, Required] string code, [FromQuery] Guid? userId = null)
{
var currentUserId = User.GetUserId();
var actualUserId = userId ?? currentUserId;
if (actualUserId.Equals(default) || (!userId.Equals(currentUserId) && !User.IsInRole(UserRoles.Administrator)))
{
return Forbid("Unknown user id");
}
userId = RequestHelpers.GetUserId(User, userId);
try
{
return await _quickConnect.AuthorizeRequest(actualUserId, code).ConfigureAwait(false);
return await _quickConnect.AuthorizeRequest(userId.Value, code).ConfigureAwait(false);
}
catch (AuthenticationException)
{