You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
112 lines
4.0 KiB
112 lines
4.0 KiB
using System.Security.Claims;
|
|
using Jellyfin.Api.Helpers;
|
|
using Jellyfin.Data.Enums;
|
|
using MediaBrowser.Common.Extensions;
|
|
using MediaBrowser.Common.Net;
|
|
using MediaBrowser.Controller.Library;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.AspNetCore.Http;
|
|
|
|
namespace Jellyfin.Api.Auth
|
|
{
|
|
/// <summary>
|
|
/// Base authorization handler.
|
|
/// </summary>
|
|
/// <typeparam name="T">Type of Authorization Requirement.</typeparam>
|
|
public abstract class BaseAuthorizationHandler<T> : AuthorizationHandler<T>
|
|
where T : IAuthorizationRequirement
|
|
{
|
|
private readonly IUserManager _userManager;
|
|
private readonly INetworkManager _networkManager;
|
|
private readonly IHttpContextAccessor _httpContextAccessor;
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="BaseAuthorizationHandler{T}"/> class.
|
|
/// </summary>
|
|
/// <param name="userManager">Instance of the <see cref="IUserManager"/> interface.</param>
|
|
/// <param name="networkManager">Instance of the <see cref="INetworkManager"/> interface.</param>
|
|
/// <param name="httpContextAccessor">Instance of the <see cref="IHttpContextAccessor"/> interface.</param>
|
|
protected BaseAuthorizationHandler(
|
|
IUserManager userManager,
|
|
INetworkManager networkManager,
|
|
IHttpContextAccessor httpContextAccessor)
|
|
{
|
|
_userManager = userManager;
|
|
_networkManager = networkManager;
|
|
_httpContextAccessor = httpContextAccessor;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Validate authenticated claims.
|
|
/// </summary>
|
|
/// <param name="claimsPrincipal">Request claims.</param>
|
|
/// <param name="ignoreSchedule">Whether to ignore parental control.</param>
|
|
/// <param name="localAccessOnly">Whether access is to be allowed locally only.</param>
|
|
/// <param name="requiredDownloadPermission">Whether validation requires download permission.</param>
|
|
/// <returns>Validated claim status.</returns>
|
|
protected bool ValidateClaims(
|
|
ClaimsPrincipal claimsPrincipal,
|
|
bool ignoreSchedule = false,
|
|
bool localAccessOnly = false,
|
|
bool requiredDownloadPermission = false)
|
|
{
|
|
// ApiKey is currently global admin, always allow.
|
|
var isApiKey = ClaimHelpers.GetIsApiKey(claimsPrincipal);
|
|
if (isApiKey)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
// Ensure claim has userId.
|
|
var userId = ClaimHelpers.GetUserId(claimsPrincipal);
|
|
if (!userId.HasValue)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// Ensure userId links to a valid user.
|
|
var user = _userManager.GetUserById(userId.Value);
|
|
if (user == null)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// Ensure user is not disabled.
|
|
if (user.HasPermission(PermissionKind.IsDisabled))
|
|
{
|
|
return false;
|
|
}
|
|
|
|
var ip = _httpContextAccessor.HttpContext.GetNormalizedRemoteIp();
|
|
var isInLocalNetwork = _networkManager.IsInLocalNetwork(ip);
|
|
// User cannot access remotely and user is remote
|
|
if (!user.HasPermission(PermissionKind.EnableRemoteAccess) && !isInLocalNetwork)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
if (localAccessOnly && !isInLocalNetwork)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// User attempting to access out of parental control hours.
|
|
if (!ignoreSchedule
|
|
&& !user.HasPermission(PermissionKind.IsAdministrator)
|
|
&& !user.IsParentalScheduleAllowed())
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// User attempting to download without permission.
|
|
if (requiredDownloadPermission
|
|
&& !user.HasPermission(PermissionKind.EnableContentDownloading))
|
|
{
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
}
|
|
}
|