Change arguments AssertCanUpdateUser to take a user

9 months ago · 4549337335
parent c831af2fe2
commit 4549337335
4 changed files with 40 additions and 27 deletions
--- a/Jellyfin.Api/Controllers/ImageController.cs
+++ b/Jellyfin.Api/Controllers/ImageController.cs
@ -109,7 +109,7 @@ public class ImageController : BaseJellyfinApiController
            return NotFound();
        }

-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+        if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
        {
            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the image.");
        }
@ -203,13 +203,18 @@ public class ImageController : BaseJellyfinApiController
        [FromQuery] Guid? userId)
    {
        var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, HttpContext.User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(HttpContext.User, user, true))
        {
            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to delete the image.");
        }

-        var user = _userManager.GetUserById(requestUserId);
-        if (user?.ProfileImage is null)
+        if (user.ProfileImage is null)
        {
            return NoContent();
        }
--- a/Jellyfin.Api/Controllers/ItemsController.cs
+++ b/Jellyfin.Api/Controllers/ItemsController.cs
@ -972,12 +972,17 @@ public class ItemsController : BaseJellyfinApiController
        [FromRoute, Required] Guid itemId)
    {
        var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
        {
            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to view this item user data.");
        }

-        var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
        var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
        if (item is null)
        {
@ -1023,12 +1028,17 @@ public class ItemsController : BaseJellyfinApiController
        [FromBody, Required] UpdateUserItemDataDto userDataDto)
    {
        var requestUserId = RequestHelpers.GetUserId(User, userId);
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
        {
            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update this item user data.");
        }

-        var user = _userManager.GetUserById(requestUserId) ?? throw new ResourceNotFoundException();
        var item = _libraryManager.GetItemById<BaseItem>(itemId, user);
        if (item is null)
        {
--- a/Jellyfin.Api/Controllers/UserController.cs
+++ b/Jellyfin.Api/Controllers/UserController.cs
@ -274,16 +274,15 @@ public class UserController : BaseJellyfinApiController
        [FromBody, Required] UpdateUserPassword request)
    {
        var requestUserId = userId ?? User.GetUserId();
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
        {
-            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
+            return NotFound();
        }

-        var user = _userManager.GetUserById(requestUserId);
-
-        if (user is null)
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
        {
-            return NotFound("User not found");
+            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
        }

        if (request.ResetPassword)
@ -386,7 +385,7 @@ public class UserController : BaseJellyfinApiController
            return NotFound();
        }

-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
        {
            return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
        }
@ -396,7 +395,7 @@ public class UserController : BaseJellyfinApiController
            await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
        }

-        await _userManager.UpdateConfigurationAsync(user.Id, updateUser.Configuration).ConfigureAwait(false);
+        await _userManager.UpdateConfigurationAsync(requestUserId, updateUser.Configuration).ConfigureAwait(false);

        return NoContent();
    }
@ -495,7 +494,13 @@ public class UserController : BaseJellyfinApiController
        [FromBody, Required] UserConfiguration userConfig)
    {
        var requestUserId = userId ?? User.GetUserId();
-        if (!RequestHelpers.AssertCanUpdateUser(_userManager, User, requestUserId, true))
+        var user = _userManager.GetUserById(requestUserId);
+        if (user is null)
+        {
+            return NotFound();
+        }
+
+        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
        {
            return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
        }
--- a/Jellyfin.Api/Helpers/RequestHelpers.cs
+++ b/Jellyfin.Api/Helpers/RequestHelpers.cs
@ -86,18 +86,17 @@ public static class RequestHelpers
    /// <summary>
    /// Checks if the user can update an entry.
    /// </summary>
-    /// <param name="userManager">An instance of the <see cref="IUserManager"/> interface.</param>
    /// <param name="claimsPrincipal">The <see cref="ClaimsPrincipal"/> for the current request.</param>
-    /// <param name="userId">The user id.</param>
+    /// <param name="user">The user id.</param>
    /// <param name="restrictUserPreferences">Whether to restrict the user preferences.</param>
    /// <returns>A <see cref="bool"/> whether the user can update the entry.</returns>
-    internal static bool AssertCanUpdateUser(IUserManager userManager, ClaimsPrincipal claimsPrincipal, Guid userId, bool restrictUserPreferences)
+    internal static bool AssertCanUpdateUser(ClaimsPrincipal claimsPrincipal, User user, bool restrictUserPreferences)
    {
        var authenticatedUserId = claimsPrincipal.GetUserId();
        var isAdministrator = claimsPrincipal.IsInRole(UserRoles.Administrator);

        // If they're going to update the record of another user, they must be an administrator
-        if (!userId.Equals(authenticatedUserId) && !isAdministrator)
+        if (!user.Id.Equals(authenticatedUserId) && !isAdministrator)
        {
            return false;
        }
@ -108,12 +107,6 @@ public static class RequestHelpers
            return true;
        }

-        var user = userManager.GetUserById(userId);
-        if (user is null)
-        {
-            throw new ResourceNotFoundException();
-        }
-
        return user.EnableUserPreferenceAccess;
    }