fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser

MediaBrowser.Controller/Net/AuthenticatedAttribute.cs

@@ -0,0 +1,41 @@
+using ServiceStack.Web;
+using System;
+
+namespace MediaBrowser.Controller.Net
+{
+    public class AuthenticatedAttribute : Attribute, IHasRequestFilter
+    {
+        public IAuthService AuthService { get; set; }
+
+        /// <summary>
+        /// The request filter is executed before the service.
+        /// </summary>
+        /// <param name="request">The http request wrapper</param>
+        /// <param name="response">The http response wrapper</param>
+        /// <param name="requestDto">The request DTO</param>
+        public void RequestFilter(IRequest request, IResponse response, object requestDto)
+        {
+            AuthService.Authenticate(request, response, requestDto);
+        }
+
+        /// <summary>
+        /// A new shallow copy of this filter is used on every request.
+        /// </summary>
+        /// <returns>IHasRequestFilter.</returns>
+        public IHasRequestFilter Copy()
+        {
+            return this;
+        }
+
+        /// <summary>
+        /// Order in which Request Filters are executed.
+        /// &lt;0 Executed before global request filters
+        /// &gt;0 Executed after global request filters
+        /// </summary>
+        /// <value>The priority.</value>
+        public int Priority
+        {
+            get { return 0; }
+        }
+    }
+}

MediaBrowser.Controller/Net/AuthorizationInfo.cs

@@ -0,0 +1,32 @@
+
+namespace MediaBrowser.Controller.Net
+{
+    public class AuthorizationInfo
+    {
+        /// <summary>
+        /// Gets or sets the user identifier.
+        /// </summary>
+        /// <value>The user identifier.</value>
+        public string UserId { get; set; }
+        /// <summary>
+        /// Gets or sets the device identifier.
+        /// </summary>
+        /// <value>The device identifier.</value>
+        public string DeviceId { get; set; }
+        /// <summary>
+        /// Gets or sets the device.
+        /// </summary>
+        /// <value>The device.</value>
+        public string Device { get; set; }
+        /// <summary>
+        /// Gets or sets the client.
+        /// </summary>
+        /// <value>The client.</value>
+        public string Client { get; set; }
+        /// <summary>
+        /// Gets or sets the version.
+        /// </summary>
+        /// <value>The version.</value>
+        public string Version { get; set; }
+    }
+}

MediaBrowser.Controller/Net/IAuthService.cs

@@ -0,0 +1,9 @@
+using ServiceStack.Web;
+
+namespace MediaBrowser.Controller.Net
+{
+    public interface IAuthService
+    {
+        void Authenticate(IRequest request, IResponse response, object requestDto);
+    }
+}

MediaBrowser.Controller/Net/IAuthorizationContext.cs

@@ -0,0 +1,14 @@
+using ServiceStack.Web;
+
+namespace MediaBrowser.Controller.Net
+{
+    public interface IAuthorizationContext
+    {
+        /// <summary>
+        /// Gets the authorization information.
+        /// </summary>
+        /// <param name="requestContext">The request context.</param>
+        /// <returns>AuthorizationInfo.</returns>
+        AuthorizationInfo GetAuthorizationInfo(IRequest requestContext);
+    }
+}

MediaBrowser.Controller/Net/IHasAuthorization.cs

@@ -0,0 +1,12 @@
+
+namespace MediaBrowser.Controller.Net
+{
+    public interface IHasAuthorization
+    {
+        /// <summary>
+        /// Gets or sets the authorization context.
+        /// </summary>
+        /// <value>The authorization context.</value>
+        IAuthorizationContext AuthorizationContext { get; set; }
+    }
+}

MediaBrowser.Controller/Net/IHasResultFactory.cs

@@ -1,5 +1,4 @@
-using MediaBrowser.Common.Net;
-using ServiceStack.Web;
+using ServiceStack.Web;
 
 namespace MediaBrowser.Controller.Net
 {

MediaBrowser.Controller/Net/IHasSession.cs

@@ -0,0 +1,12 @@
+
+namespace MediaBrowser.Controller.Net
+{
+    public interface IHasSession
+    {
+        /// <summary>
+        /// Gets or sets the session context.
+        /// </summary>
+        /// <value>The session context.</value>
+        ISessionContext SessionContext { get; set; }
+    }
+}

MediaBrowser.Controller/Net/IRestfulService.cs

@@ -5,6 +5,7 @@ namespace MediaBrowser.Controller.Net
     /// <summary>
     /// Interface IRestfulService
     /// </summary>
+    [Logged]
     public interface IRestfulService : IService
     {
     }

MediaBrowser.Controller/Net/ISessionContext.cs

@@ -0,0 +1,13 @@
+using MediaBrowser.Controller.Entities;
+using MediaBrowser.Controller.Session;
+using ServiceStack.Web;
+
+namespace MediaBrowser.Controller.Net
+{
+    public interface ISessionContext 
+    {
+        SessionInfo GetSession(IRequest requestContext);
+
+        User GetUser(IRequest requestContext);
+    }
+}

MediaBrowser.Controller/Net/LoggedAttribute.cs

@@ -0,0 +1,73 @@
+using MediaBrowser.Controller.Entities;
+using MediaBrowser.Controller.Library;
+using MediaBrowser.Controller.Session;
+using MediaBrowser.Model.Logging;
+using ServiceStack.Web;
+using System;
+
+namespace MediaBrowser.Controller.Net
+{
+    public class LoggedAttribute : Attribute, IHasRequestFilter
+    {
+        public ILogger Logger { get; set; }
+        public IUserManager UserManager { get; set; }
+        public ISessionManager SessionManager { get; set; }
+        public IAuthorizationContext AuthorizationContext { get; set; }
+
+        /// <summary>
+        /// The request filter is executed before the service.
+        /// </summary>
+        /// <param name="request">The http request wrapper</param>
+        /// <param name="response">The http response wrapper</param>
+        /// <param name="requestDto">The request DTO</param>
+        public void RequestFilter(IRequest request, IResponse response, object requestDto)
+        {
+            //This code is executed before the service
+            var auth = AuthorizationContext.GetAuthorizationInfo(request);
+
+            if (auth != null)
+            {
+                User user = null;
+
+                if (!string.IsNullOrWhiteSpace(auth.UserId))
+                {
+                    var userId = auth.UserId;
+
+                    user = UserManager.GetUserById(new Guid(userId));
+                }
+
+                string deviceId = auth.DeviceId;
+                string device = auth.Device;
+                string client = auth.Client;
+                string version = auth.Version;
+
+                if (!string.IsNullOrEmpty(client) && !string.IsNullOrEmpty(deviceId) && !string.IsNullOrEmpty(device) && !string.IsNullOrEmpty(version))
+                {
+                    var remoteEndPoint = request.RemoteIp;
+
+                    SessionManager.LogSessionActivity(client, version, deviceId, device, remoteEndPoint, user);
+                }
+            }
+        }
+
+        /// <summary>
+        /// A new shallow copy of this filter is used on every request.
+        /// </summary>
+        /// <returns>IHasRequestFilter.</returns>
+        public IHasRequestFilter Copy()
+        {
+            return this;
+        }
+
+        /// <summary>
+        /// Order in which Request Filters are executed.
+        /// &lt;0 Executed before global request filters
+        /// &gt;0 Executed after global request filters
+        /// </summary>
+        /// <value>The priority.</value>
+        public int Priority
+        {
+            get { return 0; }
+        }
+    }
+}