jellyfin/Emby.Server.Implementations/HttpServer/Security/AuthService.cs

#pragma warning disable CS1591
#pragma warning disable SA1600

using System;
using System.Linq;
using Emby.Server.Implementations.SocketSharp;
using MediaBrowser.Common.Net;
using MediaBrowser.Controller.Configuration;
using MediaBrowser.Controller.Entities;
using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Security;
using MediaBrowser.Controller.Session;
using MediaBrowser.Model.Services;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;

namespace Emby.Server.Implementations.HttpServer.Security
{
    public class AuthService : IAuthService
    {
        private readonly ILogger<AuthService> _logger;
        private readonly IAuthorizationContext _authorizationContext;
        private readonly ISessionManager _sessionManager;
        private readonly IServerConfigurationManager _config;
        private readonly INetworkManager _networkManager;

        public AuthService(
            ILogger<AuthService> logger,
            IAuthorizationContext authorizationContext,
            IServerConfigurationManager config,
            ISessionManager sessionManager,
            INetworkManager networkManager)
        {
            _logger = logger;
            _authorizationContext = authorizationContext;
            _config = config;
            _sessionManager = sessionManager;
            _networkManager = networkManager;
        }

        public void Authenticate(IRequest request, IAuthenticationAttributes authAttribtues)
        {
            ValidateUser(request, authAttribtues);
        }

        public User Authenticate(HttpRequest request, IAuthenticationAttributes authAttributes)
        {
            var req = new WebSocketSharpRequest(request, null, request.Path, _logger);
            var user = ValidateUser(req, authAttributes);
            return user;
        }

        private User ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)
        {
            // This code is executed before the service
            var auth = _authorizationContext.GetAuthorizationInfo(request);

            if (!IsExemptFromAuthenticationToken(authAttribtues, request))
            {
                ValidateSecurityToken(request, auth.Token);
            }

            if (authAttribtues.AllowLocalOnly && !request.IsLocal)
            {
                throw new SecurityException("Operation not found.");
            }

            var user = auth.User;

            if (user == null && auth.UserId != Guid.Empty)
            {
                throw new SecurityException("User with Id " + auth.UserId + " not found");
            }

            if (user != null)
            {
                ValidateUserAccess(user, request, authAttribtues, auth);
            }

            var info = GetTokenInfo(request);

            if (!IsExemptFromRoles(auth, authAttribtues, request, info))
            {
                var roles = authAttribtues.GetRoles();

                ValidateRoles(roles, user);
            }

            if (!string.IsNullOrEmpty(auth.DeviceId) &&
                !string.IsNullOrEmpty(auth.Client) &&
                !string.IsNullOrEmpty(auth.Device))
            {
                _sessionManager.LogSessionActivity(auth.Client,
                    auth.Version,
                    auth.DeviceId,
                    auth.Device,
                    request.RemoteIp,
                    user);
            }

            return user;
        }

        private void ValidateUserAccess(
            User user,
            IRequest request,
            IAuthenticationAttributes authAttribtues,
            AuthorizationInfo auth)
        {
            if (user.Policy.IsDisabled)
            {
                throw new SecurityException("User account has been disabled.")
                {
                    SecurityExceptionType = SecurityExceptionType.Unauthenticated
                };
            }

            if (!user.Policy.EnableRemoteAccess && !_networkManager.IsInLocalNetwork(request.RemoteIp))
            {
                throw new SecurityException("User account has been disabled.")
                {
                    SecurityExceptionType = SecurityExceptionType.Unauthenticated
                };
            }

            if (!user.Policy.IsAdministrator
                && !authAttribtues.EscapeParentalControl
                && !user.IsParentalScheduleAllowed())
            {
                request.Response.Headers.Add("X-Application-Error-Code", "ParentalControl");

                throw new SecurityException("This user account is not allowed access at this time.")
                {
                    SecurityExceptionType = SecurityExceptionType.ParentalControl
                };
            }
        }

        private bool IsExemptFromAuthenticationToken(IAuthenticationAttributes authAttribtues, IRequest request)
        {
            if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
            {
                return true;
            }

            if (authAttribtues.AllowLocal && request.IsLocal)
            {
                return true;
            }
            if (authAttribtues.AllowLocalOnly && request.IsLocal)
            {
                return true;
            }

            return false;
        }

        private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)
        {
            if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
            {
                return true;
            }

            if (authAttribtues.AllowLocal && request.IsLocal)
            {
                return true;
            }

            if (authAttribtues.AllowLocalOnly && request.IsLocal)
            {
                return true;
            }

            if (string.IsNullOrEmpty(auth.Token))
            {
                return true;
            }

            if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))
            {
                return true;
            }

            return false;
        }

        private static void ValidateRoles(string[] roles, User user)
        {
            if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.Policy.IsAdministrator)
                {
                    throw new SecurityException("User does not have admin access.")
                    {
                        SecurityExceptionType = SecurityExceptionType.Unauthenticated
                    };
                }
            }

            if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.Policy.EnableContentDeletion)
                {
                    throw new SecurityException("User does not have delete access.")
                    {
                        SecurityExceptionType = SecurityExceptionType.Unauthenticated
                    };
                }
            }

            if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.Policy.EnableContentDownloading)
                {
                    throw new SecurityException("User does not have download access.")
                    {
                        SecurityExceptionType = SecurityExceptionType.Unauthenticated
                    };
                }
            }
        }

        private static AuthenticationInfo GetTokenInfo(IRequest request)
        {
            request.Items.TryGetValue("OriginalAuthenticationInfo", out var info);
            return info as AuthenticationInfo;
        }

        private void ValidateSecurityToken(IRequest request, string token)
        {
            if (string.IsNullOrEmpty(token))
            {
                throw new SecurityException("Access token is required.");
            }

            var info = GetTokenInfo(request);

            if (info == null)
            {
                throw new SecurityException("Access token is invalid or expired.");
            }

            //if (!string.IsNullOrEmpty(info.UserId))
            //{
            //    var user = _userManager.GetUserById(info.UserId);

            //    if (user == null || user.Configuration.IsDisabled)
            //    {
            //        throw new SecurityException("User account has been disabled.");
            //    }
            //}
        }
    }
}
Fix more warnings 2019-11-01 10:38:54 -07:00			`#pragma warning disable CS1591`
More warnings (removed) 2019-12-10 16:13:57 -07:00			`#pragma warning disable SA1600`
Fix more warnings 2019-11-01 10:38:54 -07:00
Visual Studio Reformat: Emby.Server.Implementations Part De-H 2019-01-13 12:20:41 -07:00			`using System;`
			`using System.Linq;`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`using Emby.Server.Implementations.SocketSharp;`
Visual Studio Reformat: Emby.Server.Implementations Part De-H 2019-01-13 12:20:41 -07:00			`using MediaBrowser.Common.Net;`
Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 13:50:43 -07:00			`using MediaBrowser.Controller.Configuration;`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`using MediaBrowser.Controller.Entities;`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`using MediaBrowser.Controller.Net;`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`using MediaBrowser.Controller.Security;`
updated service stack 2014-11-15 08:51:49 -07:00			`using MediaBrowser.Controller.Session;`
update request classes 2017-09-03 11:38:26 -07:00			`using MediaBrowser.Model.Services;`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`using Microsoft.AspNetCore.Http;`
			`using Microsoft.Extensions.Logging;`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00
move classes 2016-11-03 18:18:51 -07:00			`namespace Emby.Server.Implementations.HttpServer.Security`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
			`public class AuthService : IAuthService`
			`{`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`private readonly ILogger<AuthService> _logger;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`private readonly IAuthorizationContext _authorizationContext;`
			`private readonly ISessionManager _sessionManager;`
completed auth database 2014-07-07 18:41:03 -07:00			`private readonly IServerConfigurationManager _config;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`private readonly INetworkManager _networkManager;`
completed auth database 2014-07-07 18:41:03 -07:00
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`public AuthService(`
Fix review comments 2019-11-24 10:25:43 -07:00			`ILogger<AuthService> logger,`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`IAuthorizationContext authorizationContext,`
			`IServerConfigurationManager config,`
			`ISessionManager sessionManager,`
			`INetworkManager networkManager)`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`{`
Fix review comments 2019-11-24 10:25:43 -07:00			`_logger = logger;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`_authorizationContext = authorizationContext;`
completed auth database 2014-07-07 18:41:03 -07:00			`_config = config;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`_sessionManager = sessionManager;`
			`_networkManager = networkManager;`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`public void Authenticate(IRequest request, IAuthenticationAttributes authAttribtues)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`ValidateUser(request, authAttribtues);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`public User Authenticate(HttpRequest request, IAuthenticationAttributes authAttributes)`
			`{`
			`var req = new WebSocketSharpRequest(request, null, request.Path, _logger);`
			`var user = ValidateUser(req, authAttributes);`
			`return user;`
			`}`

			`private User ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
remove mono compiler directives 2014-10-06 16:58:46 -07:00			`// This code is executed before the service`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`var auth = _authorizationContext.GetAuthorizationInfo(request);`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00
Simplify/remove/clean code * Remove useless runtime check (we only support one) * Remove unused args * Remove a global constant And ofc fix some warnings ;) 2019-03-25 14:25:32 -07:00			`if (!IsExemptFromAuthenticationToken(authAttribtues, request))`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`{`
Remove Emby.Server.Connect 2018-12-10 17:27:54 -07:00			`ValidateSecurityToken(request, auth.Token);`
completed auth database 2014-07-07 18:41:03 -07:00			`}`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (authAttribtues.AllowLocalOnly && !request.IsLocal)`
			`{`
			`throw new SecurityException("Operation not found.");`
			`}`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`var user = auth.User;`

Fix multiple mistakes and warnings 2019-09-20 03:42:08 -07:00			`if (user == null && auth.UserId != Guid.Empty)`
fix ipad login issue 2014-07-14 18:25:58 -07:00			`{`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`throw new SecurityException("User with Id " + auth.UserId + " not found");`
fix ipad login issue 2014-07-14 18:25:58 -07:00			`}`

fixes #552 - Add parental control usage limits 2014-10-14 17:05:09 -07:00			`if (user != null)`
completed auth database 2014-07-07 18:41:03 -07:00			`{`
enable user device access 2014-12-29 13:18:48 -07:00			`ValidateUserAccess(user, request, authAttribtues, auth);`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`}`
completed auth database 2014-07-07 18:41:03 -07:00
update dlna profiles 2015-02-06 20:25:23 -07:00			`var info = GetTokenInfo(request);`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00
update request classes 2017-09-03 11:38:26 -07:00			`if (!IsExemptFromRoles(auth, authAttribtues, request, info))`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
3.2.30.3 2017-08-30 11:52:29 -07:00			`var roles = authAttribtues.GetRoles();`
revise endpoint attributes 2014-11-14 19:31:03 -07:00
			`ValidateRoles(roles, user);`
			`}`
updated service stack 2014-11-15 08:51:49 -07:00
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (!string.IsNullOrEmpty(auth.DeviceId) &&`
			`!string.IsNullOrEmpty(auth.Client) &&`
			`!string.IsNullOrEmpty(auth.Device))`
updated service stack 2014-11-15 08:51:49 -07:00			`{`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`_sessionManager.LogSessionActivity(auth.Client,`
updated service stack 2014-11-15 08:51:49 -07:00			`auth.Version,`
			`auth.DeviceId,`
			`auth.Device,`
			`request.RemoteIp,`
			`user);`
			`}`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00
			`return user;`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`}`

Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`private void ValidateUserAccess(`
			`User user,`
			`IRequest request,`
enable user device access 2014-12-29 13:18:48 -07:00			`IAuthenticationAttributes authAttribtues,`
			`AuthorizationInfo auth)`
			`{`
			`if (user.Policy.IsDisabled)`
			`{`
			`throw new SecurityException("User account has been disabled.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`

Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`if (!user.Policy.EnableRemoteAccess && !_networkManager.IsInLocalNetwork(request.RemoteIp))`
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`{`
			`throw new SecurityException("User account has been disabled.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`

Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`if (!user.Policy.IsAdministrator`
			`&& !authAttribtues.EscapeParentalControl`
			`&& !user.IsParentalScheduleAllowed())`
enable user device access 2014-12-29 13:18:48 -07:00			`{`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`request.Response.Headers.Add("X-Application-Error-Code", "ParentalControl");`
enable user device access 2014-12-29 13:18:48 -07:00
			`throw new SecurityException("This user account is not allowed access at this time.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.ParentalControl`
			`};`
			`}`
			`}`

Simplify/remove/clean code * Remove useless runtime check (we only support one) * Remove unused args * Remove a global constant And ofc fix some warnings ;) 2019-03-25 14:25:32 -07:00			`private bool IsExemptFromAuthenticationToken(IAuthenticationAttributes authAttribtues, IRequest request)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
update authentication 2016-02-18 11:27:46 -07:00			`if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
			`return true;`
			`}`

update request classes 2017-09-03 11:38:26 -07:00			`if (authAttribtues.AllowLocal && request.IsLocal)`
			`{`
			`return true;`
			`}`
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (authAttribtues.AllowLocalOnly && request.IsLocal)`
			`{`
			`return true;`
			`}`
update request classes 2017-09-03 11:38:26 -07:00
update authentication 2016-02-18 11:27:46 -07:00			`return false;`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`}`

update request classes 2017-09-03 11:38:26 -07:00			`private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
update authentication 2016-02-18 11:27:46 -07:00			`if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
			`return true;`
			`}`

update request classes 2017-09-03 11:38:26 -07:00			`if (authAttribtues.AllowLocal && request.IsLocal)`
			`{`
			`return true;`
			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (authAttribtues.AllowLocalOnly && request.IsLocal)`
			`{`
			`return true;`
			`}`

			`if (string.IsNullOrEmpty(auth.Token))`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`{`
			`return true;`
			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`{`
			`return true;`
			`}`

revise endpoint attributes 2014-11-14 19:31:03 -07:00			`return false;`
			`}`
connect updates 2014-10-28 16:17:55 -07:00
Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 13:50:43 -07:00			`private static void ValidateRoles(string[] roles, User user)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
set roles on connect endpoints 2014-09-14 10:42:23 -07:00			`if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))`
			`{`
start using user policy 2014-12-19 23:06:27 -07:00			`if (user == null \|\| !user.Policy.IsAdministrator)`
set roles on connect endpoints 2014-09-14 10:42:23 -07:00			`{`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`throw new SecurityException("User does not have admin access.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
set roles on connect endpoints 2014-09-14 10:42:23 -07:00			`}`
			`}`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
start using user policy 2014-12-19 23:06:27 -07:00			`if (user == null \|\| !user.Policy.EnableContentDeletion)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
			`throw new SecurityException("User does not have delete access.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))`
			`{`
			`if (user == null \|\| !user.Policy.EnableContentDownloading)`
			`{`
			`throw new SecurityException("User does not have download access.")`
			`{`
			`SecurityExceptionType = SecurityExceptionType.Unauthenticated`
			`};`
			`}`
			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 13:50:43 -07:00			`private static AuthenticationInfo GetTokenInfo(IRequest request)`
update dlna profiles 2015-02-06 20:25:23 -07:00			`{`
ReSharper format: conform inline 'out' parameters. 2019-01-13 13:46:33 -07:00			`request.Items.TryGetValue("OriginalAuthenticationInfo", out var info);`
update dlna profiles 2015-02-06 20:25:23 -07:00			`return info as AuthenticationInfo;`
			`}`

update request classes 2017-09-03 11:38:26 -07:00			`private void ValidateSecurityToken(IRequest request, string token)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (string.IsNullOrEmpty(token))`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
update logging levels 2015-10-04 15:04:56 -07:00			`throw new SecurityException("Access token is required.");`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

update dlna profiles 2015-02-06 20:25:23 -07:00			`var info = GetTokenInfo(request);`
revise endpoint attributes 2014-11-14 19:31:03 -07:00
			`if (info == null)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`throw new SecurityException("Access token is invalid or expired.");`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`//if (!string.IsNullOrEmpty(info.UserId))`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`//{`
			`// var user = _userManager.GetUserById(info.UserId);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`// if (user == null \|\| user.Configuration.IsDisabled)`
			`// {`
			`// throw new SecurityException("User account has been disabled.");`
			`// }`
			`//}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`
			`}`
			`}`