Fix FirstTimeSetupPolicy allowing guest access (#11651)

2026-01-15 16:33:25 -03:00 · 2024-05-15 09:06:10 -04:00
parent 3f760e6685
commit 2cb052a119
2 changed files with 25 additions and 0 deletions
--- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
+++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
@@ -32,6 +32,10 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
            {
                context.Fail();
            }
+            else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
+            {
+                context.Fail();
+            }
            else
            {
                // Any user-specific checks are handled in the DefaultAuthorizationHandler.
--- a/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
+++ b/tests/Jellyfin.Api.Tests/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandlerTests.cs
@@ -69,6 +69,27 @@ namespace Jellyfin.Api.Tests.Auth.FirstTimeSetupPolicy
            Assert.Equal(shouldSucceed, context.HasSucceeded);
        }

+        [Theory]
+        [InlineData(UserRoles.Administrator, true)]
+        [InlineData(UserRoles.Guest, false)]
+        [InlineData(UserRoles.User, true)]
+        public async Task ShouldRequireUserIfNotRequiresAdmin(string userRole, bool shouldSucceed)
+        {
+            TestHelpers.SetupConfigurationManager(_configurationManagerMock, true);
+            var claims = TestHelpers.SetupUser(
+                _userManagerMock,
+                _httpContextAccessor,
+                userRole);
+
+            var context = new AuthorizationHandlerContext(
+                new List<IAuthorizationRequirement> { new FirstTimeSetupRequirement(false, false) },
+                claims,
+                null);
+
+            await _firstTimeSetupHandler.HandleAsync(context);
+            Assert.Equal(shouldSucceed, context.HasSucceeded);
+        }
+
        [Fact]
        public async Task ShouldAllowAdminApiKeyIfStartupWizardComplete()
        {