starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-04 18:09:12 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

[PR #15339] Fix: GetUsers endpoint now requires Admin privileges #14279

New Issue
Open
opened 2026-02-07 07:27:17 +03:00 by OVERLORD · 0 comments
OVERLORD commented 2026-02-07 07:27:17 +03:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/jellyfin/jellyfin/pull/15339
Author: @Cody-Howell-Snow
Created: 11/1/2025
Status: 🔄 Open

Base: masterHead: master

📝 Commits (3)

  • a126615 Changed GetUsers endpoint to require admin access
  • 42d8bae Test completes if the new user tries to access GetUsers but is denied
  • 12b4f05 CompleteStartupAsync was split to allow getting the access token from a new account without changing the signature or functionality of the first function.

📊 Changes

3 files changed (+24 additions, -6 deletions)

View changed files

📝 Jellyfin.Api/Controllers/UserController.cs (+1 -1)
📝 tests/Jellyfin.Server.Integration.Tests/AuthHelper.cs (+9 -5)
📝 tests/Jellyfin.Server.Integration.Tests/Controllers/UserControllerTests.cs (+14 -0)

📄 Description

Summary
GetUsers endpoint was identified as a security vulnerability in #5415, which the breakoff issue #13990 suggests requiring Admin privileges to access.

Changes
GetUsers endpoint now requires admin access.

UserControllerTests now includes a test to validate the created user cannot access that endpoint.
AuthHelper had a method split to allow getting the access token of a particular user without changing the signature or function of CompleteStartupAsync. The new method is Task<string> AuthenticateUserByNameAsync(HttpClient client, string username, string password).

Issues
Fixes https://github.com/jellyfin/jellyfin/issues/13990

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/jellyfin/jellyfin/pull/15339 **Author:** [@Cody-Howell-Snow](https://github.com/Cody-Howell-Snow) **Created:** 11/1/2025 **Status:** 🔄 Open **Base:** `master` ← **Head:** `master` --- ### 📝 Commits (3) - [`a126615`](https://github.com/jellyfin/jellyfin/commit/a126615b6f1cbb737c07a3bae29ce4343d29b904) Changed GetUsers endpoint to require admin access - [`42d8bae`](https://github.com/jellyfin/jellyfin/commit/42d8baeee132185db61b18e45217f940ae1ebbe2) Test completes if the new user tries to access GetUsers but is denied - [`12b4f05`](https://github.com/jellyfin/jellyfin/commit/12b4f052806410b58c26a4bc1bbb8f9d9c4ad83e) CompleteStartupAsync was split to allow getting the access token from a new account without changing the signature or functionality of the first function. ### 📊 Changes **3 files changed** (+24 additions, -6 deletions) <details> <summary>View changed files</summary> 📝 `Jellyfin.Api/Controllers/UserController.cs` (+1 -1) 📝 `tests/Jellyfin.Server.Integration.Tests/AuthHelper.cs` (+9 -5) 📝 `tests/Jellyfin.Server.Integration.Tests/Controllers/UserControllerTests.cs` (+14 -0) </details> ### 📄 Description **Summary** GetUsers endpoint was identified as a security vulnerability in #5415, which the breakoff issue #13990 suggests requiring Admin privileges to access. **Changes** GetUsers endpoint now requires admin access. UserControllerTests now includes a test to validate the created user cannot access that endpoint. AuthHelper had a method split to allow getting the access token of a particular user without changing the signature or function of `CompleteStartupAsync`. The new method is `Task<string> AuthenticateUserByNameAsync(HttpClient client, string username, string password)`. **Issues** Fixes https://github.com/jellyfin/jellyfin/issues/13990 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
OVERLORD added the pull-request label 2026-02-07 07:27:17 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#14279
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?