Backport pull request #11651 from jellyfin/release-10.9.z

Fix FirstTimeSetupPolicy allowing guest access

Original-merge: 2cb052a119

Merged-by: crobibero <cody@robibe.ro>

Backported-by: Joshua M. Boniface <joshua@boniface.me>

Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs

@@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
             {
                 context.Fail();
             }
+            else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
+            {
+                context.Fail();
+            }
             else
             {
                 // Any user-specific checks are handled in the DefaultAuthorizationHandler.

tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs

@@ -69,6 +69,27 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
             Assert.Equal(shouldSucceed, context.HasSucceeded);
         }
 
+        [Theory]
+        [InlineData(UserRoles.Administrator, true)]
+        [InlineData(UserRoles.Guest, false)]
+        [InlineData(UserRoles.User, true)]
+        public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
+        {
+            TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
+            var claims = TestHelpers.SetupUser(
+                _userManagerMock,
+                _httpContextAccessor,
+                userRole);
+
+            var context = new AuthorizationHandlerContext(
+                new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
+                claims,
+                null);
+
+            await _firstTimeSetupHandler.HandleAsync(context);
+            Assert.Equal(shouldSucceed, context.HasSucceeded);
+        }
+
         [Fact]
         public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
         {