diff --git a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs index 2b6b2a82c4..9b4e2182c5 100644 --- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs +++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs @@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy { context.Fail(); } + else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest)) + { + context.Fail(); + } else { // Any user-specific checks are handled in the DefaultAuthorizationHandler. diff --git a/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs b/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs index 3687d77534..2e6ffb5f6a 100644 --- a/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs +++ b/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs @@ -69,6 +69,27 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy Assert.Equal(shouldSucceed, context.HasSucceeded); } + [Theory] + [InlineData(UserRoles.Administrator, true)] + [InlineData(UserRoles.Guest, false)] + [InlineData(UserRoles.User, true)] + public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed) + { + TestHelpers.SetupConfigurationManager(_configurationManagerMock, true); + var claims = TestHelpers.SetupUser( + _userManagerMock, + _httpContextAccessor, + userRole); + + var context = new AuthorizationHandlerContext( + new List { new FirstTimeSetupRequirement(false, false) }, + claims, + null); + + await _firstTimeSetupHandler.HandleAsync(context); + Assert.Equal(shouldSucceed, context.HasSucceeded); + } + [Fact] public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete() {