Skip to content

Commit

Permalink
Fix get sessions with api key (jellyfin#12696)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gnattu
gnattu authored Sep 24, 2024
1 parent 38d0b00 commit 75bbd30
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 10 deletions.
44 changes: 36 additions & 8 deletions Emby.Server.Implementations/Session/SessionManager.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1858,15 +1858,38 @@ public IReadOnlyList<SessionInfoDto> GetSessions(
Guid userId,
string deviceId,
int? activeWithinSeconds,
Guid? controllableUserToCheck)
Guid? controllableUserToCheck,
bool isApiKey)
{
var result = Sessions;
var user = _userManager.GetUserById(userId);
if (!string.IsNullOrEmpty(deviceId))
{
result = result.Where(i => string.Equals(i.DeviceId, deviceId, StringComparison.OrdinalIgnoreCase));
}

var userCanControlOthers = false;
var userIsAdmin = false;
User user = null;

if (isApiKey)
{
userCanControlOthers = true;
userIsAdmin = true;
}
else if (!userId.IsEmpty())
{
user = _userManager.GetUserById(userId);
if (user is not null)
{
userCanControlOthers = user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers);
userIsAdmin = user.HasPermission(PermissionKind.IsAdministrator);
}
else
{
return [];
}
}

if (!controllableUserToCheck.IsNullOrEmpty())
{
result = result.Where(i => i.SupportsRemoteControl);
Expand All @@ -1883,29 +1906,34 @@ public IReadOnlyList<SessionInfoDto> GetSessions(
result = result.Where(i => !i.UserId.IsEmpty());
}

if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
if (!userCanControlOthers)
{
// User cannot control other user's sessions, validate user id.
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(user.Id));
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
}

result = result.Where(i =>
{
if (!string.IsNullOrWhiteSpace(i.DeviceId) && !_deviceManager.CanAccessDevice(user, i.DeviceId))
if (isApiKey)
{
return true;
}
if (user is null)
{
return false;
}
return true;
return string.IsNullOrWhiteSpace(i.DeviceId) || _deviceManager.CanAccessDevice(user, i.DeviceId);
});
}
else if (!user.HasPermission(PermissionKind.IsAdministrator))
else if (!userIsAdmin)
{
// Request isn't from administrator, limit to "own" sessions.
result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
}

if (!user.HasPermission(PermissionKind.IsAdministrator))
if (!userIsAdmin)
{
// Don't report acceleration type for non-admin users.
result = result.Select(r =>
Expand Down
3 changes: 2 additions & 1 deletion Jellyfin.Api/Controllers/SessionController.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,8 @@ public ActionResult<IReadOnlyList<SessionInfoDto>> GetSessions(
User.GetUserId(),
deviceId,
activeWithinSeconds,
controllableUserToCheck);
controllableUserToCheck,
User.GetIsApiKey());

return Ok(result);
}
Expand Down
3 changes: 2 additions & 1 deletion MediaBrowser.Controller/Session/ISessionManager.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,8 +300,9 @@ public interface ISessionManager
/// <param name="deviceId">The device id.</param>
/// <param name="activeWithinSeconds">Active within session limit.</param>
/// <param name="controllableUserToCheck">Filter for sessions remote controllable for this user.</param>
/// <param name="isApiKey">Is the request authenticated with API key.</param>
/// <returns>IReadOnlyList{SessionInfoDto}.</returns>
IReadOnlyList<SessionInfoDto> GetSessions(Guid userId, string deviceId, int? activeWithinSeconds, Guid? controllableUserToCheck);
IReadOnlyList<SessionInfoDto> GetSessions(Guid userId, string deviceId, int? activeWithinSeconds, Guid? controllableUserToCheck, bool isApiKey);

/// <summary>
/// Gets the session by authentication token.
Expand Down

0 comments on commit 75bbd30

Please sign in to comment.