Merge pull request #3187 from jellyfin/revert-2492-fix-api-private-data-leak

Revert "Fix emby/user/public API leaking sensitive data"
This commit is contained in:
Joshua M. Boniface 2020-05-26 19:57:24 -04:00 committed by GitHub
commit b33fa06efa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 108 deletions

View File

@ -608,31 +608,6 @@ namespace Emby.Server.Implementations.Library
return dto;
}
public PublicUserDto GetPublicUserDto(User user, string remoteEndPoint = null)
{
if (user == null)
{
throw new ArgumentNullException(nameof(user));
}
IAuthenticationProvider authenticationProvider = GetAuthenticationProvider(user);
bool hasConfiguredPassword = authenticationProvider.HasPassword(user);
bool hasConfiguredEasyPassword = !string.IsNullOrEmpty(authenticationProvider.GetEasyPasswordHash(user));
bool hasPassword = user.Configuration.EnableLocalPassword &&
!string.IsNullOrEmpty(remoteEndPoint) &&
_networkManager.IsInLocalNetwork(remoteEndPoint) ? hasConfiguredEasyPassword : hasConfiguredPassword;
PublicUserDto dto = new PublicUserDto
{
Name = user.Name,
HasPassword = hasPassword,
HasConfiguredPassword = hasConfiguredPassword,
};
return dto;
}
public UserDto GetOfflineUserDto(User user)
{
var dto = GetUserDto(user);

View File

@ -35,7 +35,7 @@ namespace MediaBrowser.Api
}
[Route("/Users/Public", "GET", Summary = "Gets a list of publicly visible users for display on a login screen.")]
public class GetPublicUsers : IReturn<PublicUserDto[]>
public class GetPublicUsers : IReturn<UserDto[]>
{
}
@ -266,38 +266,22 @@ namespace MediaBrowser.Api
_authContext = authContext;
}
/// <summary>
/// Gets the public available Users information
/// </summary>
/// <param name="request">The request.</param>
/// <returns>System.Object.</returns>
public object Get(GetPublicUsers request)
{
var result = _userManager
.Users
.Where(item => !item.Policy.IsDisabled);
if (ServerConfigurationManager.Configuration.IsStartupWizardCompleted)
// If the startup wizard hasn't been completed then just return all users
if (!ServerConfigurationManager.Configuration.IsStartupWizardCompleted)
{
var deviceId = _authContext.GetAuthorizationInfo(Request).DeviceId;
result = result.Where(item => !item.Policy.IsHidden);
if (!string.IsNullOrWhiteSpace(deviceId))
return Get(new GetUsers
{
result = result.Where(i => _deviceManager.CanAccessDevice(i, deviceId));
IsDisabled = false
});
}
if (!_networkManager.IsInLocalNetwork(Request.RemoteIp))
return Get(new GetUsers
{
result = result.Where(i => i.Policy.EnableRemoteAccess);
}
}
return ToOptimizedResult(result
.OrderBy(u => u.Name)
.Select(i => _userManager.GetPublicUserDto(i, Request.RemoteIp))
.ToArray()
);
IsHidden = false,
IsDisabled = false
}, true, true);
}
/// <summary>

View File

@ -143,14 +143,6 @@ namespace MediaBrowser.Controller.Library
/// <returns>UserDto.</returns>
UserDto GetUserDto(User user, string remoteEndPoint = null);
/// <summary>
/// Gets the user public dto.
/// </summary>
/// <param name="user">Ther user.</param>\
/// <param name="remoteEndPoint">The remote end point.</param>
/// <returns>A public UserDto, aka a UserDto stripped of personal data.</returns>
PublicUserDto GetPublicUserDto(User user, string remoteEndPoint = null);
/// <summary>
/// Authenticates the user.
/// </summary>

View File

@ -1,48 +0,0 @@
using System;
namespace MediaBrowser.Model.Dto
{
/// <summary>
/// Class PublicUserDto. Its goal is to show only public information about a user
/// </summary>
public class PublicUserDto : IItemDto
{
/// <summary>
/// Gets or sets the name.
/// </summary>
/// <value>The name.</value>
public string Name { get; set; }
/// <summary>
/// Gets or sets the primary image tag.
/// </summary>
/// <value>The primary image tag.</value>
public string PrimaryImageTag { get; set; }
/// <summary>
/// Gets or sets a value indicating whether this instance has password.
/// </summary>
/// <value><c>true</c> if this instance has password; otherwise, <c>false</c>.</value>
public bool HasPassword { get; set; }
/// <summary>
/// Gets or sets a value indicating whether this instance has configured password.
/// Note that in this case this method should not be here, but it is necessary when changing password at the
/// first login.
/// </summary>
/// <value><c>true</c> if this instance has configured password; otherwise, <c>false</c>.</value>
public bool HasConfiguredPassword { get; set; }
/// <summary>
/// Gets or sets the primary image aspect ratio.
/// </summary>
/// <value>The primary image aspect ratio.</value>
public double? PrimaryImageAspectRatio { get; set; }
/// <inheritdoc />
public override string ToString()
{
return Name ?? base.ToString();
}
}
}