From f984f31896d9f5b34b488efb845d73f901fc9a80 Mon Sep 17 00:00:00 2001 From: cvium Date: Thu, 9 Feb 2023 08:53:59 +0100 Subject: [PATCH] admins shouldn't be able to circumvent remote access policies --- .../DefaultAuthorizationHandler.cs | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs index 7489e2a35c..0f3c69abc8 100644 --- a/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs +++ b/Jellyfin.Api/Auth/DefaultAuthorizationPolicy/DefaultAuthorizationHandler.cs @@ -38,13 +38,6 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy /// protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, DefaultAuthorizationRequirement requirement) { - // Admins can do everything - if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator)) - { - context.Succeed(requirement); - return Task.CompletedTask; - } - var userId = context.User.GetUserId(); // This likely only happens during the wizard, so skip the default checks and let any other handlers do it if (userId.Equals(default)) @@ -62,6 +55,13 @@ namespace Jellyfin.Api.Auth.DefaultAuthorizationPolicy return Task.CompletedTask; } + // Admins can do everything + if (context.User.GetIsApiKey() || context.User.IsInRole(UserRoles.Administrator)) + { + context.Succeed(requirement); + return Task.CompletedTask; + } + // It's not great to have this check, but parental schedule must usually be honored except in a few rare cases if (requirement.ValidateParentalSchedule && !user.IsParentalScheduleAllowed()) {