| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121 |
- using System.Security.Claims;
- using Jellyfin.Api.Helpers;
- using Jellyfin.Data.Enums;
- using MediaBrowser.Common.Extensions;
- using MediaBrowser.Common.Net;
- using MediaBrowser.Controller.Library;
- using Microsoft.AspNetCore.Authorization;
- using Microsoft.AspNetCore.Http;
- namespace Jellyfin.Api.Auth
- {
- /// <summary>
- /// Base authorization handler.
- /// </summary>
- /// <typeparam name="T">Type of Authorization Requirement.</typeparam>
- public abstract class BaseAuthorizationHandler<T> : AuthorizationHandler<T>
- where T : IAuthorizationRequirement
- {
- private readonly IUserManager _userManager;
- private readonly INetworkManager _networkManager;
- private readonly IHttpContextAccessor _httpContextAccessor;
- /// <summary>
- /// Initializes a new instance of the <see cref="BaseAuthorizationHandler{T}"/> class.
- /// </summary>
- /// <param name="userManager">Instance of the <see cref="IUserManager"/> interface.</param>
- /// <param name="networkManager">Instance of the <see cref="INetworkManager"/> interface.</param>
- /// <param name="httpContextAccessor">Instance of the <see cref="IHttpContextAccessor"/> interface.</param>
- protected BaseAuthorizationHandler(
- IUserManager userManager,
- INetworkManager networkManager,
- IHttpContextAccessor httpContextAccessor)
- {
- _userManager = userManager;
- _networkManager = networkManager;
- _httpContextAccessor = httpContextAccessor;
- }
- /// <summary>
- /// Gets a value indicating <see cref="INetworkManager"/> being used.
- /// </summary>
- protected INetworkManager NetworkManager => _networkManager;
- /// <summary>
- /// Gets a value indicating the <see cref="HttpContextAccessor"/> being used.
- /// </summary>
- protected IHttpContextAccessor HttpContextAccessor => _httpContextAccessor;
- /// <summary>
- /// Validate authenticated claims.
- /// </summary>
- /// <param name="claimsPrincipal">Request claims.</param>
- /// <param name="ignoreSchedule">Whether to ignore parental control.</param>
- /// <param name="localAccessOnly">Whether access is to be allowed locally only.</param>
- /// <param name="requiredDownloadPermission">Whether validation requires download permission.</param>
- /// <returns>Validated claim status.</returns>
- protected bool ValidateClaims(
- ClaimsPrincipal claimsPrincipal,
- bool ignoreSchedule = false,
- bool localAccessOnly = false,
- bool requiredDownloadPermission = false)
- {
- // ApiKey is currently global admin, always allow.
- var isApiKey = ClaimHelpers.GetIsApiKey(claimsPrincipal);
- if (isApiKey)
- {
- return true;
- }
- // Ensure claim has userId.
- var userId = ClaimHelpers.GetUserId(claimsPrincipal);
- if (!userId.HasValue)
- {
- return false;
- }
- // Ensure userId links to a valid user.
- var user = _userManager.GetUserById(userId.Value);
- if (user == null)
- {
- return false;
- }
- // Ensure user is not disabled.
- if (user.HasPermission(PermissionKind.IsDisabled))
- {
- return false;
- }
- var ip = _httpContextAccessor.HttpContext.GetNormalizedRemoteIp();
- var isInLocalNetwork = _networkManager.IsInLocalNetwork(ip);
- // User cannot access remotely and user is remote
- if (!user.HasPermission(PermissionKind.EnableRemoteAccess) && !isInLocalNetwork)
- {
- return false;
- }
- if (localAccessOnly && !isInLocalNetwork)
- {
- return false;
- }
- // User attempting to access out of parental control hours.
- if (!ignoreSchedule
- && !user.HasPermission(PermissionKind.IsAdministrator)
- && !user.IsParentalScheduleAllowed())
- {
- return false;
- }
- // User attempting to download without permission.
- if (requiredDownloadPermission
- && !user.HasPermission(PermissionKind.EnableContentDownloading))
- {
- return false;
- }
- return true;
- }
- }
- }
|
