From 9a1a58885749a7c4f0354b0f848791e492482ccb Mon Sep 17 00:00:00 2001
From: thornbill <thornbill@users.noreply.github.com>
Date: Fri, 17 May 2024 13:51:44 -0400
Subject: [PATCH] Backport pull request #11651 from jellyfin/release-10.9.z

Fix FirstTimeSetupPolicy allowing guest access

Original-merge: 2cb052a119a43edbdeaba33f77d929a5ee4b405c

Merged-by: crobibero <cody@robibe.ro>

Backported-by: Joshua M. Boniface <joshua@boniface.me>
---
 .../FirstTimeSetupHandler.cs                  |  4 ++++
 .../FirstTimeSetupHandlerTests.cs             | 21 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
index 2b6b2a82c4..9b4e2182c5 100644
--- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
+++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
@@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
             {
                 context.Fail();
             }
+            else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
+            {
+                context.Fail();
+            }
             else
             {
                 // Any user-specific checks are handled in the DefaultAuthorizationHandler.
diff --git a/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs b/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
index 3687d77534..2e6ffb5f6a 100644
--- a/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
@@ -69,6 +69,27 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
             Assert.Equal(shouldSucceed, context.HasSucceeded);
         }
 
+        [Theory]
+        [InlineData(UserRoles.Administrator, true)]
+        [InlineData(UserRoles.Guest, false)]
+        [InlineData(UserRoles.User, true)]
+        public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
+        {
+            TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
+            var claims = TestHelpers.SetupUser(
+                _userManagerMock,
+                _httpContextAccessor,
+                userRole);
+
+            var context = new AuthorizationHandlerContext(
+                new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
+                claims,
+                null);
+
+            await _firstTimeSetupHandler.HandleAsync(context);
+            Assert.Equal(shouldSucceed, context.HasSucceeded);
+        }
+
         [Fact]
         public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
         {