Fix get sessions with api key (#12696)

2026-01-15 23:58:57 +00:00 · 2024-09-24 22:15:53 +08:00
parent 38d0b004ba
commit 75bbd30296
3 changed files with 40 additions and 10 deletions
--- a/Emby.Server.Implementations/Session/SessionManager.cs
+++ b/Emby.Server.Implementations/Session/SessionManager.cs
@@ -1858,15 +1858,38 @@ namespace Emby.Server.Implementations.Session
            Guid userId,
            string deviceId,
            int? activeWithinSeconds,
-            Guid? controllableUserToCheck)
+            Guid? controllableUserToCheck,
+            bool isApiKey)
        {
            var result = Sessions;
-            var user = _userManager.GetUserById(userId);
            if (!string.IsNullOrEmpty(deviceId))
            {
                result = result.Where(i => string.Equals(i.DeviceId, deviceId, StringComparison.OrdinalIgnoreCase));
            }

+            var userCanControlOthers = false;
+            var userIsAdmin = false;
+            User user = null;
+
+            if (isApiKey)
+            {
+                userCanControlOthers = true;
+                userIsAdmin = true;
+            }
+            else if (!userId.IsEmpty())
+            {
+                user = _userManager.GetUserById(userId);
+                if (user is not null)
+                {
+                    userCanControlOthers = user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers);
+                    userIsAdmin = user.HasPermission(PermissionKind.IsAdministrator);
+                }
+                else
+                {
+                    return [];
+                }
+            }
+
            if (!controllableUserToCheck.IsNullOrEmpty())
            {
                result = result.Where(i => i.SupportsRemoteControl);
@@ -1883,29 +1906,34 @@ namespace Emby.Server.Implementations.Session
                    result = result.Where(i => !i.UserId.IsEmpty());
                }

-                if (!user.HasPermission(PermissionKind.EnableRemoteControlOfOtherUsers))
+                if (!userCanControlOthers)
                {
                    // User cannot control other user's sessions, validate user id.
-                    result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(user.Id));
+                    result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
                }

                result = result.Where(i =>
                {
-                    if (!string.IsNullOrWhiteSpace(i.DeviceId) && !_deviceManager.CanAccessDevice(user, i.DeviceId))
+                    if (isApiKey)
+                    {
+                        return true;
+                    }
+
+                    if (user is null)
                    {
                        return false;
                    }

-                    return true;
+                    return string.IsNullOrWhiteSpace(i.DeviceId) || _deviceManager.CanAccessDevice(user, i.DeviceId);
                });
            }
-            else if (!user.HasPermission(PermissionKind.IsAdministrator))
+            else if (!userIsAdmin)
            {
                // Request isn't from administrator, limit to "own" sessions.
                result = result.Where(i => i.UserId.IsEmpty() || i.ContainsUser(userId));
            }

-            if (!user.HasPermission(PermissionKind.IsAdministrator))
+            if (!userIsAdmin)
            {
                // Don't report acceleration type for non-admin users.
                result = result.Select(r =>