mirror of
https://github.com/jellyfin/jellyfin.git
synced 2024-11-15 09:59:06 -07:00
Backport pull request #11651 from jellyfin/release-10.9.z
Fix FirstTimeSetupPolicy allowing guest access
Original-merge: 2cb052a119
Merged-by: crobibero <cody@robibe.ro>
Backported-by: Joshua M. Boniface <joshua@boniface.me>
This commit is contained in:
parent
b063dfd2e3
commit
9a1a588857
@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
|
||||
{
|
||||
context.Fail();
|
||||
}
|
||||
else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
|
||||
{
|
||||
context.Fail();
|
||||
}
|
||||
else
|
||||
{
|
||||
// Any user-specific checks are handled in the DefaultAuthorizationHandler.
|
||||
|
@ -69,6 +69,27 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
|
||||
Assert.Equal(shouldSucceed, context.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(UserRoles.Administrator, true)]
|
||||
[InlineData(UserRoles.Guest, false)]
|
||||
[InlineData(UserRoles.User, true)]
|
||||
public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
|
||||
{
|
||||
TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
|
||||
var claims = TestHelpers.SetupUser(
|
||||
_userManagerMock,
|
||||
_httpContextAccessor,
|
||||
userRole);
|
||||
|
||||
var context = new AuthorizationHandlerContext(
|
||||
new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
|
||||
claims,
|
||||
null);
|
||||
|
||||
await _firstTimeSetupHandler.HandleAsync(context);
|
||||
Assert.Equal(shouldSucceed, context.HasSucceeded);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user