From dc2db22c3db983a3c787877e2e359d7bab4970d2 Mon Sep 17 00:00:00 2001
From: thornbill <thornbill@users.noreply.github.com>
Date: Sat, 1 Jun 2024 18:41:08 -0400
Subject: Backport pull request #11873 from jellyfin/release-10.9.z

Fix FirstTimeSetupHandler allowing public access

Original-merge: 869dab2ba2900c18f9de817607e1b0d3681f8ac9

Merged-by: joshuaboniface <joshua@boniface.me>

Backported-by: Joshua M. Boniface <joshua@boniface.me>
---
 .../Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs')

diff --git a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
index 9b4e2182c5..e425000cd6 100644
--- a/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
+++ b/Jellyfin.Api/Auth/FirstTimeSetupPolicy/FirstTimeSetupHandler.cs
@@ -1,5 +1,6 @@
 using System.Threading.Tasks;
 using Jellyfin.Api.Constants;
+using Jellyfin.Api.Extensions;
 using MediaBrowser.Common.Configuration;
 using Microsoft.AspNetCore.Authorization;
 
@@ -24,24 +25,31 @@ namespace Jellyfin.Api.Auth.FirstTimeSetupPolicy
         /// <inheritdoc />
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, FirstTimeSetupRequirement requirement)
         {
+            // Succeed if the startup wizard / first time setup is not complete
             if (!_configurationManager.CommonConfiguration.IsStartupWizardCompleted)
             {
                 context.Succeed(requirement);
             }
-            else if (requirement.RequireAdmin && !context.User.IsInRole(UserRoles.Administrator))
+
+            // Succeed if user is admin
+            else if (context.User.IsInRole(UserRoles.Administrator))
             {
-                context.Fail();
+                context.Succeed(requirement);
             }
-            else if (!requirement.RequireAdmin && context.User.IsInRole(UserRoles.Guest))
+
+            // Fail if admin is required and user is not admin
+            else if (requirement.RequireAdmin)
             {
                 context.Fail();
             }
-            else
+
+            // Succeed if admin is not required and user is not guest
+            else if (context.User.IsInRole(UserRoles.User))
             {
-                // Any user-specific checks are handled in the DefaultAuthorizationHandler.
                 context.Succeed(requirement);
             }
 
+            // Any user-specific checks are handled in the DefaultAuthorizationHandler.
             return Task.CompletedTask;
         }
     }
-- 
cgit v1.2.3