open-source-mirrors
/
jellyfin
mirror of https://github.com/jellyfin/jellyfin
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enforce permissions

Browse Source
pull/11220/head
Shadowghost 2 months ago
parent 8cf77424f6
commit 3e0b201688
2 changed files with 88 additions and 19 deletions
Show Stats Download Patch File Download Diff File

105
Jellyfin.Api/Controllers/PlaylistsController.cs
Unescape View File

@ -106,7 +106,7 @@ public class PlaylistsController : BaseJellyfinApiController
/// <param name="playlistId">The playlist id.</param> /// <param name="playlistId">The playlist id.</param>
/// <param name="updatePlaylistRequest">The <see cref="UpdatePlaylistDto"/> id.</param> /// <param name="updatePlaylistRequest">The <see cref="UpdatePlaylistDto"/> id.</param>
/// <response code="204">Playlist updated.</response> /// <response code="204">Playlist updated.</response>
/// <response code="401">Unauthorized access.</response> /// <response code="403">Access forbidden.</response>
/// <response code="404">Playlist not found.</response> /// <response code="404">Playlist not found.</response>
/// <returns> /// <returns>
/// A <see cref="Task" /> that represents the asynchronous operation to update a playlist. /// A <see cref="Task" /> that represents the asynchronous operation to update a playlist.
@ -114,10 +114,11 @@ public class PlaylistsController : BaseJellyfinApiController
/// </returns> /// </returns>
[HttpPost("{playlistId}")] [HttpPost("{playlistId}")]
[ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> UpdatePlaylist( public async Task<ActionResult> UpdatePlaylist(
[FromRoute, Required] Guid playlistId, [FromRoute, Required] Guid playlistId,
[FromBody(EmptyBodyBehavior = EmptyBodyBehavior.Disallow)] UpdatePlaylistDto updatePlaylistRequest) [FromBody, Required] UpdatePlaylistDto updatePlaylistRequest)
{ {
var callingUserId = User.GetUserId(); var callingUserId = User.GetUserId();
@ -132,7 +133,7 @@ public class PlaylistsController : BaseJellyfinApiController
if (!isPermitted) if (!isPermitted)
{ {
return Unauthorized("Unauthorized access"); return Forbid();
} }
await _playlistManager.UpdatePlaylist(new PlaylistUpdateRequest await _playlistManager.UpdatePlaylist(new PlaylistUpdateRequest
@ -153,14 +154,14 @@ public class PlaylistsController : BaseJellyfinApiController
/// </summary> /// </summary>
/// <param name="playlistId">The playlist id.</param> /// <param name="playlistId">The playlist id.</param>
/// <response code="200">Found shares.</response> /// <response code="200">Found shares.</response>
/// <response code="401">Unauthorized access.</response> /// <response code="403">Access forbidden.</response>
/// <response code="404">Playlist not found.</response> /// <response code="404">Playlist not found.</response>
/// <returns> /// <returns>
/// A list of <see cref="PlaylistUserPermissions"/> objects. /// A list of <see cref="PlaylistUserPermissions"/> objects.
/// </returns> /// </returns>
[HttpGet("{playlistId}/User")] [HttpGet("{playlistId}/User")]
[ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)] [ProducesResponseType(StatusCodes.Status404NotFound)]
public ActionResult<IReadOnlyList<PlaylistUserPermissions>> GetPlaylistUsers( public ActionResult<IReadOnlyList<PlaylistUserPermissions>> GetPlaylistUsers(
[FromRoute, Required] Guid playlistId) [FromRoute, Required] Guid playlistId)
@ -173,10 +174,9 @@ public class PlaylistsController : BaseJellyfinApiController
return NotFound("Playlist not found"); return NotFound("Playlist not found");
} }
var isPermitted = playlist.OwnerUserId.Equals(userId) var isPermitted = playlist.OwnerUserId.Equals(userId);
|| playlist.Shares.Any(s => s.CanEdit && s.UserId.Equals(userId));
return isPermitted ? playlist.Shares.ToList() : Unauthorized("Unauthorized Access"); return isPermitted ? playlist.Shares.ToList() : Forbid();
} }
/// <summary> /// <summary>
@ -186,7 +186,7 @@ public class PlaylistsController : BaseJellyfinApiController
/// <param name="userId">The user id.</param> /// <param name="userId">The user id.</param>
/// <param name="updatePlaylistUserRequest">The <see cref="UpdatePlaylistUserDto"/>.</param> /// <param name="updatePlaylistUserRequest">The <see cref="UpdatePlaylistUserDto"/>.</param>
/// <response code="204">User's permissions modified.</response> /// <response code="204">User's permissions modified.</response>
/// <response code="401">Unauthorized access.</response> /// <response code="403">Access forbidden.</response>
/// <response code="404">Playlist not found.</response> /// <response code="404">Playlist not found.</response>
/// <returns> /// <returns>
/// A <see cref="Task" /> that represents the asynchronous operation to modify an user's playlist permissions. /// A <see cref="Task" /> that represents the asynchronous operation to modify an user's playlist permissions.
@ -194,7 +194,8 @@ public class PlaylistsController : BaseJellyfinApiController
/// </returns> /// </returns>
[HttpPost("{playlistId}/User/{userId}")] [HttpPost("{playlistId}/User/{userId}")]
[ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> UpdatePlaylistUser( public async Task<ActionResult> UpdatePlaylistUser(
[FromRoute, Required] Guid playlistId, [FromRoute, Required] Guid playlistId,
[FromRoute, Required] Guid userId, [FromRoute, Required] Guid userId,
@ -208,12 +209,11 @@ public class PlaylistsController : BaseJellyfinApiController
return NotFound("Playlist not found"); return NotFound("Playlist not found");
} }
var isPermitted = playlist.OwnerUserId.Equals(callingUserId) var isPermitted = playlist.OwnerUserId.Equals(callingUserId);
|| playlist.Shares.Any(s => s.CanEdit && s.UserId.Equals(callingUserId));
if (!isPermitted) if (!isPermitted)
{ {
return Unauthorized("Unauthorized access"); return Forbid();
} }
await _playlistManager.AddUserToShares(new PlaylistUserUpdateRequest await _playlistManager.AddUserToShares(new PlaylistUserUpdateRequest
@ -240,7 +240,7 @@ public class PlaylistsController : BaseJellyfinApiController
/// </returns> /// </returns>
[HttpDelete("{playlistId}/User/{userId}")] [HttpDelete("{playlistId}/User/{userId}")]
[ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)] [ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> RemoveUserFromPlaylist( public async Task<ActionResult> RemoveUserFromPlaylist(
[FromRoute, Required] Guid playlistId, [FromRoute, Required] Guid playlistId,
@ -259,7 +259,7 @@ public class PlaylistsController : BaseJellyfinApiController
if (!isPermitted) if (!isPermitted)
{ {
return Unauthorized("Unauthorized access"); return Forbid();
} }
var share = playlist.Shares.FirstOrDefault(s => s.UserId.Equals(userId)); var share = playlist.Shares.FirstOrDefault(s => s.UserId.Equals(userId));
@ -280,15 +280,33 @@ public class PlaylistsController : BaseJellyfinApiController
/// <param name="ids">Item id, comma delimited.</param> /// <param name="ids">Item id, comma delimited.</param>
/// <param name="userId">The userId.</param> /// <param name="userId">The userId.</param>
/// <response code="204">Items added to playlist.</response> /// <response code="204">Items added to playlist.</response>
/// <response code="403">Access forbidden.</response>
/// <response code="404">Playlist not found.</response>
/// <returns>An <see cref="NoContentResult"/> on success.</returns> /// <returns>An <see cref="NoContentResult"/> on success.</returns>
[HttpPost("{playlistId}/Items")] [HttpPost("{playlistId}/Items")]
[ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> AddItemToPlaylist( public async Task<ActionResult> AddItemToPlaylist(
[FromRoute, Required] Guid playlistId, [FromRoute, Required] Guid playlistId,
[FromQuery, ModelBinder(typeof(CommaDelimitedArrayModelBinder))] Guid[] ids, [FromQuery, ModelBinder(typeof(CommaDelimitedArrayModelBinder))] Guid[] ids,
[FromQuery] Guid? userId) [FromQuery] Guid? userId)
{ {
userId = RequestHelpers.GetUserId(User, userId); userId = RequestHelpers.GetUserId(User, userId);
var playlist = _playlistManager.GetPlaylistForUser(playlistId, userId.Value);
if (playlist is null)
{
return NotFound("Playlist not found");
}
var isPermitted = playlist.OwnerUserId.Equals(userId.Value)
|| playlist.Shares.Any(s => s.CanEdit && s.UserId.Equals(userId.Value));
if (!isPermitted)
{
return Forbid();
}
await _playlistManager.AddItemToPlaylistAsync(playlistId, ids, userId.Value).ConfigureAwait(false); await _playlistManager.AddItemToPlaylistAsync(playlistId, ids, userId.Value).ConfigureAwait(false);
return NoContent(); return NoContent();
} }
@ -300,14 +318,34 @@ public class PlaylistsController : BaseJellyfinApiController
/// <param name="itemId">The item id.</param> /// <param name="itemId">The item id.</param>
/// <param name="newIndex">The new index.</param> /// <param name="newIndex">The new index.</param>
/// <response code="204">Item moved to new index.</response> /// <response code="204">Item moved to new index.</response>
/// <response code="403">Access forbidden.</response>
/// <response code="404">Playlist not found.</response>
/// <returns>An <see cref="NoContentResult"/> on success.</returns> /// <returns>An <see cref="NoContentResult"/> on success.</returns>
[HttpPost("{playlistId}/Items/{itemId}/Move/{newIndex}")] [HttpPost("{playlistId}/Items/{itemId}/Move/{newIndex}")]
[ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> MoveItem( public async Task<ActionResult> MoveItem(
[FromRoute, Required] string playlistId, [FromRoute, Required] string playlistId,
[FromRoute, Required] string itemId, [FromRoute, Required] string itemId,
[FromRoute, Required] int newIndex) [FromRoute, Required] int newIndex)
{ {
var callingUserId = User.GetUserId();
var playlist = _playlistManager.GetPlaylistForUser(Guid.Parse(playlistId), callingUserId);
if (playlist is null)
{
return NotFound("Playlist not found");
}
var isPermitted = playlist.OwnerUserId.Equals(callingUserId)
|| playlist.Shares.Any(s => s.CanEdit && s.UserId.Equals(callingUserId));
if (!isPermitted)
{
return Forbid();
}
await _playlistManager.MoveItemAsync(playlistId, itemId, newIndex).ConfigureAwait(false); await _playlistManager.MoveItemAsync(playlistId, itemId, newIndex).ConfigureAwait(false);
return NoContent(); return NoContent();
} }
@ -318,13 +356,33 @@ public class PlaylistsController : BaseJellyfinApiController
/// <param name="playlistId">The playlist id.</param> /// <param name="playlistId">The playlist id.</param>
/// <param name="entryIds">The item ids, comma delimited.</param> /// <param name="entryIds">The item ids, comma delimited.</param>
/// <response code="204">Items removed.</response> /// <response code="204">Items removed.</response>
/// <response code="403">Access forbidden.</response>
/// <response code="404">Playlist not found.</response>
/// <returns>An <see cref="NoContentResult"/> on success.</returns> /// <returns>An <see cref="NoContentResult"/> on success.</returns>
[HttpDelete("{playlistId}/Items")] [HttpDelete("{playlistId}/Items")]
[ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<ActionResult> RemoveItemFromPlaylist( public async Task<ActionResult> RemoveItemFromPlaylist(
[FromRoute, Required] string playlistId, [FromRoute, Required] string playlistId,
[FromQuery, ModelBinder(typeof(CommaDelimitedArrayModelBinder))] string[] entryIds) [FromQuery, ModelBinder(typeof(CommaDelimitedArrayModelBinder))] string[] entryIds)
{ {
var callingUserId = User.GetUserId();
var playlist = _playlistManager.GetPlaylistForUser(Guid.Parse(playlistId), callingUserId);
if (playlist is null)
{
return NotFound("Playlist not found");
}
var isPermitted = playlist.OwnerUserId.Equals(callingUserId)
|| playlist.Shares.Any(s => s.CanEdit && s.UserId.Equals(callingUserId));
if (!isPermitted)
{
return Forbid();
}
await _playlistManager.RemoveItemFromPlaylistAsync(playlistId, entryIds).ConfigureAwait(false); await _playlistManager.RemoveItemFromPlaylistAsync(playlistId, entryIds).ConfigureAwait(false);
return NoContent(); return NoContent();
} }
@ -342,10 +400,12 @@ public class PlaylistsController : BaseJellyfinApiController
/// <param name="imageTypeLimit">Optional. The max number of images to return, per image type.</param> /// <param name="imageTypeLimit">Optional. The max number of images to return, per image type.</param>
/// <param name="enableImageTypes">Optional. The image types to include in the output.</param> /// <param name="enableImageTypes">Optional. The image types to include in the output.</param>
/// <response code="200">Original playlist returned.</response> /// <response code="200">Original playlist returned.</response>
/// <response code="404">Access forbidden.</response>
/// <response code="404">Playlist not found.</response> /// <response code="404">Playlist not found.</response>
/// <returns>The original playlist items.</returns> /// <returns>The original playlist items.</returns>
[HttpGet("{playlistId}/Items")] [HttpGet("{playlistId}/Items")]
[ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status403Forbidden)]
[ProducesResponseType(StatusCodes.Status404NotFound)] [ProducesResponseType(StatusCodes.Status404NotFound)]
public ActionResult<QueryResult<BaseItemDto>> GetPlaylistItems( public ActionResult<QueryResult<BaseItemDto>> GetPlaylistItems(
[FromRoute, Required] Guid playlistId, [FromRoute, Required] Guid playlistId,
@ -359,10 +419,19 @@ public class PlaylistsController : BaseJellyfinApiController
[FromQuery, ModelBinder(typeof(CommaDelimitedArrayModelBinder))] ImageType[] enableImageTypes) [FromQuery, ModelBinder(typeof(CommaDelimitedArrayModelBinder))] ImageType[] enableImageTypes)
{ {
userId = RequestHelpers.GetUserId(User, userId); userId = RequestHelpers.GetUserId(User, userId);
var playlist = (Playlist)_libraryManager.GetItemById(playlistId); var playlist = _playlistManager.GetPlaylistForUser(playlistId, userId.Value);
if (playlist is null) if (playlist is null)
{ {
return NotFound(); return NotFound("Playlist not found");
}
var isPermitted = playlist.OpenAccess
|| playlist.OwnerUserId.Equals(userId.Value)
|| playlist.Shares.Any(s => s.UserId.Equals(userId.Value));
if (!isPermitted)
{
return Forbid();
} }
var user = userId.IsNullOrEmpty() var user = userId.IsNullOrEmpty()

2
MediaBrowser.Controller/Playlists/IPlaylistManager.cs
Unescape View File

@ -23,7 +23,7 @@ namespace MediaBrowser.Controller.Playlists
/// Creates the playlist. /// Creates the playlist.
/// </summary> /// </summary>
/// <param name="request">The <see cref="PlaylistCreationRequest"/>.</param> /// <param name="request">The <see cref="PlaylistCreationRequest"/>.</param>
/// <returns>Task&lt;Playlist&gt;.</returns> /// <returns>The created playlist.</returns>
Task<PlaylistCreationResult> CreatePlaylist(PlaylistCreationRequest request); Task<PlaylistCreationResult> CreatePlaylist(PlaylistCreationRequest request);
/// <summary> /// <summary>

Write Preview
Loading…
Cancel
Save