< Summary - Jellyfin

Information
Class: Jellyfin.Api.Controllers.UserController
Assembly: Jellyfin.Api
File(s): /srv/git/jellyfin/Jellyfin.Api/Controllers/UserController.cs
Line coverage
70%
Covered lines: 40
Uncovered lines: 17
Coverable lines: 57
Total lines: 659
Line coverage: 70.1%
Branch coverage
55%
Covered branches: 11
Total branches: 20
Branch coverage: 55%
Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Coverage history

Coverage history 0 25 50 75 100 8/14/2025 - 12:11:05 AM Line coverage: 70.1% (40/57) Branch coverage: 55% (11/20) Total lines: 659 8/14/2025 - 12:11:05 AM Line coverage: 70.1% (40/57) Branch coverage: 55% (11/20) Total lines: 659

Metrics

MethodBranch coverage Crap Score Cyclomatic complexity Line coverage
.ctor(...)100%11100%
GetUsers(...)100%11100%
GetPublicUsers()50%2266.66%
GetUserById(...)0%620%
AuthenticateWithQuickConnect(...)100%210%
GetCurrentUser()50%4471.42%
Get(...)66.66%161268.75%

File(s)

/srv/git/jellyfin/Jellyfin.Api/Controllers/UserController.cs

#LineLine coverage
 1using System;
 2using System.Collections.Generic;
 3using System.ComponentModel.DataAnnotations;
 4using System.Linq;
 5using System.Threading.Tasks;
 6using Jellyfin.Api.Constants;
 7using Jellyfin.Api.Extensions;
 8using Jellyfin.Api.Helpers;
 9using Jellyfin.Api.Models.UserDtos;
 10using Jellyfin.Data;
 11using Jellyfin.Database.Implementations.Enums;
 12using Jellyfin.Extensions;
 13using MediaBrowser.Common.Api;
 14using MediaBrowser.Common.Extensions;
 15using MediaBrowser.Common.Net;
 16using MediaBrowser.Controller.Authentication;
 17using MediaBrowser.Controller.Configuration;
 18using MediaBrowser.Controller.Devices;
 19using MediaBrowser.Controller.Library;
 20using MediaBrowser.Controller.Net;
 21using MediaBrowser.Controller.Playlists;
 22using MediaBrowser.Controller.QuickConnect;
 23using MediaBrowser.Controller.Session;
 24using MediaBrowser.Model.Configuration;
 25using MediaBrowser.Model.Dto;
 26using MediaBrowser.Model.Users;
 27using Microsoft.AspNetCore.Authorization;
 28using Microsoft.AspNetCore.Http;
 29using Microsoft.AspNetCore.Mvc;
 30using Microsoft.Extensions.Logging;
 31
 32namespace Jellyfin.Api.Controllers;
 33
 34/// <summary>
 35/// User controller.
 36/// </summary>
 37[Route("Users")]
 38public class UserController : BaseJellyfinApiController
 39{
 40    private readonly IUserManager _userManager;
 41    private readonly ISessionManager _sessionManager;
 42    private readonly INetworkManager _networkManager;
 43    private readonly IDeviceManager _deviceManager;
 44    private readonly IAuthorizationContext _authContext;
 45    private readonly IServerConfigurationManager _config;
 46    private readonly ILogger _logger;
 47    private readonly IQuickConnect _quickConnectManager;
 48    private readonly IPlaylistManager _playlistManager;
 49
 50    /// <summary>
 51    /// Initializes a new instance of the <see cref="UserController"/> class.
 52    /// </summary>
 53    /// <param name="userManager">Instance of the <see cref="IUserManager"/> interface.</param>
 54    /// <param name="sessionManager">Instance of the <see cref="ISessionManager"/> interface.</param>
 55    /// <param name="networkManager">Instance of the <see cref="INetworkManager"/> interface.</param>
 56    /// <param name="deviceManager">Instance of the <see cref="IDeviceManager"/> interface.</param>
 57    /// <param name="authContext">Instance of the <see cref="IAuthorizationContext"/> interface.</param>
 58    /// <param name="config">Instance of the <see cref="IServerConfigurationManager"/> interface.</param>
 59    /// <param name="logger">Instance of the <see cref="ILogger"/> interface.</param>
 60    /// <param name="quickConnectManager">Instance of the <see cref="IQuickConnect"/> interface.</param>
 61    /// <param name="playlistManager">Instance of the <see cref="IPlaylistManager"/> interface.</param>
 5062    public UserController(
 5063        IUserManager userManager,
 5064        ISessionManager sessionManager,
 5065        INetworkManager networkManager,
 5066        IDeviceManager deviceManager,
 5067        IAuthorizationContext authContext,
 5068        IServerConfigurationManager config,
 5069        ILogger<UserController> logger,
 5070        IQuickConnect quickConnectManager,
 5071        IPlaylistManager playlistManager)
 72    {
 5073        _userManager = userManager;
 5074        _sessionManager = sessionManager;
 5075        _networkManager = networkManager;
 5076        _deviceManager = deviceManager;
 5077        _authContext = authContext;
 5078        _config = config;
 5079        _logger = logger;
 5080        _quickConnectManager = quickConnectManager;
 5081        _playlistManager = playlistManager;
 5082    }
 83
 84    /// <summary>
 85    /// Gets a list of users.
 86    /// </summary>
 87    /// <param name="isHidden">Optional filter by IsHidden=true or false.</param>
 88    /// <param name="isDisabled">Optional filter by IsDisabled=true or false.</param>
 89    /// <response code="200">Users returned.</response>
 90    /// <returns>An <see cref="IEnumerable{UserDto}"/> containing the users.</returns>
 91    [HttpGet]
 92    [Authorize]
 93    [ProducesResponseType(StatusCodes.Status200OK)]
 94    public ActionResult<IEnumerable<UserDto>> GetUsers(
 95        [FromQuery] bool? isHidden,
 96        [FromQuery] bool? isDisabled)
 97    {
 398        var users = Get(isHidden, isDisabled, false, false);
 399        return Ok(users);
 100    }
 101
 102    /// <summary>
 103    /// Gets a list of publicly visible users for display on a login screen.
 104    /// </summary>
 105    /// <response code="200">Public users returned.</response>
 106    /// <returns>An <see cref="IEnumerable{UserDto}"/> containing the public users.</returns>
 107    [HttpGet("Public")]
 108    [ProducesResponseType(StatusCodes.Status200OK)]
 109    public ActionResult<IEnumerable<UserDto>> GetPublicUsers()
 110    {
 111        // If the startup wizard hasn't been completed then just return all users
 1112        if (!_config.Configuration.IsStartupWizardCompleted)
 113        {
 1114            return Ok(Get(false, false, false, false));
 115        }
 116
 0117        return Ok(Get(false, false, true, true));
 118    }
 119
 120    /// <summary>
 121    /// Gets a user by Id.
 122    /// </summary>
 123    /// <param name="userId">The user id.</param>
 124    /// <response code="200">User returned.</response>
 125    /// <response code="404">User not found.</response>
 126    /// <returns>An <see cref="UserDto"/> with information about the user or a <see cref="NotFoundResult"/> if the user 
 127    [HttpGet("{userId}")]
 128    [Authorize(Policy = Policies.IgnoreParentalControl)]
 129    [ProducesResponseType(StatusCodes.Status200OK)]
 130    [ProducesResponseType(StatusCodes.Status404NotFound)]
 131    public ActionResult<UserDto> GetUserById([FromRoute, Required] Guid userId)
 132    {
 0133        var user = _userManager.GetUserById(userId);
 134
 0135        if (user is null)
 136        {
 0137            return NotFound("User not found");
 138        }
 139
 0140        var result = _userManager.GetUserDto(user, HttpContext.GetNormalizedRemoteIP().ToString());
 0141        return result;
 142    }
 143
 144    /// <summary>
 145    /// Deletes a user.
 146    /// </summary>
 147    /// <param name="userId">The user id.</param>
 148    /// <response code="204">User deleted.</response>
 149    /// <response code="404">User not found.</response>
 150    /// <returns>A <see cref="NoContentResult"/> indicating success or a <see cref="NotFoundResult"/> if the user was no
 151    [HttpDelete("{userId}")]
 152    [Authorize(Policy = Policies.RequiresElevation)]
 153    [ProducesResponseType(StatusCodes.Status204NoContent)]
 154    [ProducesResponseType(StatusCodes.Status404NotFound)]
 155    public async Task<ActionResult> DeleteUser([FromRoute, Required] Guid userId)
 156    {
 157        var user = _userManager.GetUserById(userId);
 158        if (user is null)
 159        {
 160            return NotFound();
 161        }
 162
 163        await _sessionManager.RevokeUserTokens(user.Id, null).ConfigureAwait(false);
 164        await _playlistManager.RemovePlaylistsAsync(userId).ConfigureAwait(false);
 165        await _userManager.DeleteUserAsync(userId).ConfigureAwait(false);
 166        return NoContent();
 167    }
 168
 169    /// <summary>
 170    /// Authenticates a user.
 171    /// </summary>
 172    /// <param name="userId">The user id.</param>
 173    /// <param name="pw">The password as plain text.</param>
 174    /// <response code="200">User authenticated.</response>
 175    /// <response code="403">Sha1-hashed password only is not allowed.</response>
 176    /// <response code="404">User not found.</response>
 177    /// <returns>A <see cref="Task"/> containing an <see cref="AuthenticationResult"/>.</returns>
 178    [HttpPost("{userId}/Authenticate")]
 179    [ProducesResponseType(StatusCodes.Status200OK)]
 180    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 181    [ProducesResponseType(StatusCodes.Status404NotFound)]
 182    [ApiExplorerSettings(IgnoreApi = true)]
 183    [Obsolete("Authenticate with username instead")]
 184    public async Task<ActionResult<AuthenticationResult>> AuthenticateUser(
 185        [FromRoute, Required] Guid userId,
 186        [FromQuery, Required] string pw)
 187    {
 188        var user = _userManager.GetUserById(userId);
 189
 190        if (user is null)
 191        {
 192            return NotFound("User not found");
 193        }
 194
 195        AuthenticateUserByName request = new AuthenticateUserByName
 196        {
 197            Username = user.Username,
 198            Pw = pw
 199        };
 200        return await AuthenticateUserByName(request).ConfigureAwait(false);
 201    }
 202
 203    /// <summary>
 204    /// Authenticates a user by name.
 205    /// </summary>
 206    /// <param name="request">The <see cref="AuthenticateUserByName"/> request.</param>
 207    /// <response code="200">User authenticated.</response>
 208    /// <returns>A <see cref="Task"/> containing an <see cref="AuthenticationRequest"/> with information about the new s
 209    [HttpPost("AuthenticateByName")]
 210    [ProducesResponseType(StatusCodes.Status200OK)]
 211    public async Task<ActionResult<AuthenticationResult>> AuthenticateUserByName([FromBody, Required] AuthenticateUserBy
 212    {
 213        var auth = await _authContext.GetAuthorizationInfo(Request).ConfigureAwait(false);
 214
 215        try
 216        {
 217            var result = await _sessionManager.AuthenticateNewSession(new AuthenticationRequest
 218            {
 219                App = auth.Client,
 220                AppVersion = auth.Version,
 221                DeviceId = auth.DeviceId,
 222                DeviceName = auth.Device,
 223                Password = request.Pw,
 224                RemoteEndPoint = HttpContext.GetNormalizedRemoteIP().ToString(),
 225                Username = request.Username
 226            }).ConfigureAwait(false);
 227
 228            return result;
 229        }
 230        catch (SecurityException e)
 231        {
 232            // rethrow adding IP address to message
 233            throw new SecurityException($"[{HttpContext.GetNormalizedRemoteIP()}] {e.Message}", e);
 234        }
 235    }
 236
 237    /// <summary>
 238    /// Authenticates a user with quick connect.
 239    /// </summary>
 240    /// <param name="request">The <see cref="QuickConnectDto"/> request.</param>
 241    /// <response code="200">User authenticated.</response>
 242    /// <response code="400">Missing token.</response>
 243    /// <returns>A <see cref="Task"/> containing an <see cref="AuthenticationRequest"/> with information about the new s
 244    [HttpPost("AuthenticateWithQuickConnect")]
 245    [ProducesResponseType(StatusCodes.Status200OK)]
 246    public ActionResult<AuthenticationResult> AuthenticateWithQuickConnect([FromBody, Required] QuickConnectDto request)
 247    {
 248        try
 249        {
 0250            return _quickConnectManager.GetAuthorizedRequest(request.Secret);
 251        }
 0252        catch (SecurityException e)
 253        {
 254            // rethrow adding IP address to message
 0255            throw new SecurityException($"[{HttpContext.GetNormalizedRemoteIP()}] {e.Message}", e);
 256        }
 0257    }
 258
 259    /// <summary>
 260    /// Updates a user's password.
 261    /// </summary>
 262    /// <param name="userId">The user id.</param>
 263    /// <param name="request">The <see cref="UpdateUserPassword"/> request.</param>
 264    /// <response code="204">Password successfully reset.</response>
 265    /// <response code="403">User is not allowed to update the password.</response>
 266    /// <response code="404">User not found.</response>
 267    /// <returns>A <see cref="NoContentResult"/> indicating success or a <see cref="ForbidResult"/> or a <see cref="NotF
 268    [HttpPost("Password")]
 269    [Authorize]
 270    [ProducesResponseType(StatusCodes.Status204NoContent)]
 271    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 272    [ProducesResponseType(StatusCodes.Status404NotFound)]
 273    public async Task<ActionResult> UpdateUserPassword(
 274        [FromQuery] Guid? userId,
 275        [FromBody, Required] UpdateUserPassword request)
 276    {
 277        var requestUserId = userId ?? User.GetUserId();
 278        var user = _userManager.GetUserById(requestUserId);
 279        if (user is null)
 280        {
 281            return NotFound();
 282        }
 283
 284        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
 285        {
 286            return StatusCode(StatusCodes.Status403Forbidden, "User is not allowed to update the password.");
 287        }
 288
 289        if (request.ResetPassword)
 290        {
 291            await _userManager.ResetPassword(user).ConfigureAwait(false);
 292        }
 293        else
 294        {
 295            if (!User.IsInRole(UserRoles.Administrator) || (userId.HasValue && User.GetUserId().Equals(userId.Value)))
 296            {
 297                var success = await _userManager.AuthenticateUser(
 298                    user.Username,
 299                    request.CurrentPw ?? string.Empty,
 300                    HttpContext.GetNormalizedRemoteIP().ToString(),
 301                    false).ConfigureAwait(false);
 302
 303                if (success is null)
 304                {
 305                    return StatusCode(StatusCodes.Status403Forbidden, "Invalid user or password entered.");
 306                }
 307            }
 308
 309            await _userManager.ChangePassword(user, request.NewPw ?? string.Empty).ConfigureAwait(false);
 310
 311            var currentToken = User.GetToken();
 312
 313            await _sessionManager.RevokeUserTokens(user.Id, currentToken).ConfigureAwait(false);
 314        }
 315
 316        return NoContent();
 317    }
 318
 319    /// <summary>
 320    /// Updates a user's password.
 321    /// </summary>
 322    /// <param name="userId">The user id.</param>
 323    /// <param name="request">The <see cref="UpdateUserPassword"/> request.</param>
 324    /// <response code="204">Password successfully reset.</response>
 325    /// <response code="403">User is not allowed to update the password.</response>
 326    /// <response code="404">User not found.</response>
 327    /// <returns>A <see cref="NoContentResult"/> indicating success or a <see cref="ForbidResult"/> or a <see cref="NotF
 328    [HttpPost("{userId}/Password")]
 329    [Authorize]
 330    [ProducesResponseType(StatusCodes.Status204NoContent)]
 331    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 332    [ProducesResponseType(StatusCodes.Status404NotFound)]
 333    [Obsolete("Kept for backwards compatibility")]
 334    [ApiExplorerSettings(IgnoreApi = true)]
 335    public Task<ActionResult> UpdateUserPasswordLegacy(
 336        [FromRoute, Required] Guid userId,
 337        [FromBody, Required] UpdateUserPassword request)
 338        => UpdateUserPassword(userId, request);
 339
 340    /// <summary>
 341    /// Updates a user's easy password.
 342    /// </summary>
 343    /// <param name="userId">The user id.</param>
 344    /// <param name="request">The <see cref="UpdateUserEasyPassword"/> request.</param>
 345    /// <response code="204">Password successfully reset.</response>
 346    /// <response code="403">User is not allowed to update the password.</response>
 347    /// <response code="404">User not found.</response>
 348    /// <returns>A <see cref="NoContentResult"/> indicating success or a <see cref="ForbidResult"/> or a <see cref="NotF
 349    [HttpPost("{userId}/EasyPassword")]
 350    [Obsolete("Use Quick Connect instead")]
 351    [ApiExplorerSettings(IgnoreApi = true)]
 352    [Authorize]
 353    [ProducesResponseType(StatusCodes.Status204NoContent)]
 354    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 355    [ProducesResponseType(StatusCodes.Status404NotFound)]
 356    public ActionResult UpdateUserEasyPassword(
 357        [FromRoute, Required] Guid userId,
 358        [FromBody, Required] UpdateUserEasyPassword request)
 359    {
 360        return Forbid();
 361    }
 362
 363    /// <summary>
 364    /// Updates a user.
 365    /// </summary>
 366    /// <param name="userId">The user id.</param>
 367    /// <param name="updateUser">The updated user model.</param>
 368    /// <response code="204">User updated.</response>
 369    /// <response code="400">User information was not supplied.</response>
 370    /// <response code="403">User update forbidden.</response>
 371    /// <returns>A <see cref="NoContentResult"/> indicating success or a <see cref="BadRequestResult"/> or a <see cref="
 372    [HttpPost]
 373    [Authorize]
 374    [ProducesResponseType(StatusCodes.Status204NoContent)]
 375    [ProducesResponseType(StatusCodes.Status400BadRequest)]
 376    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 377    public async Task<ActionResult> UpdateUser(
 378        [FromQuery] Guid? userId,
 379        [FromBody, Required] UserDto updateUser)
 380    {
 381        var requestUserId = userId ?? User.GetUserId();
 382        var user = _userManager.GetUserById(requestUserId);
 383        if (user is null)
 384        {
 385            return NotFound();
 386        }
 387
 388        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
 389        {
 390            return StatusCode(StatusCodes.Status403Forbidden, "User update not allowed.");
 391        }
 392
 393        if (!string.Equals(user.Username, updateUser.Name, StringComparison.Ordinal))
 394        {
 395            await _userManager.RenameUser(user, updateUser.Name).ConfigureAwait(false);
 396        }
 397
 398        await _userManager.UpdateConfigurationAsync(requestUserId, updateUser.Configuration).ConfigureAwait(false);
 399
 400        return NoContent();
 401    }
 402
 403    /// <summary>
 404    /// Updates a user.
 405    /// </summary>
 406    /// <param name="userId">The user id.</param>
 407    /// <param name="updateUser">The updated user model.</param>
 408    /// <response code="204">User updated.</response>
 409    /// <response code="400">User information was not supplied.</response>
 410    /// <response code="403">User update forbidden.</response>
 411    /// <returns>A <see cref="NoContentResult"/> indicating success or a <see cref="BadRequestResult"/> or a <see cref="
 412    [HttpPost("{userId}")]
 413    [Authorize]
 414    [ProducesResponseType(StatusCodes.Status204NoContent)]
 415    [ProducesResponseType(StatusCodes.Status400BadRequest)]
 416    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 417    [Obsolete("Kept for backwards compatibility")]
 418    [ApiExplorerSettings(IgnoreApi = true)]
 419    public Task<ActionResult> UpdateUserLegacy(
 420        [FromRoute, Required] Guid userId,
 421        [FromBody, Required] UserDto updateUser)
 422        => UpdateUser(userId, updateUser);
 423
 424    /// <summary>
 425    /// Updates a user policy.
 426    /// </summary>
 427    /// <param name="userId">The user id.</param>
 428    /// <param name="newPolicy">The new user policy.</param>
 429    /// <response code="204">User policy updated.</response>
 430    /// <response code="400">User policy was not supplied.</response>
 431    /// <response code="403">User policy update forbidden.</response>
 432    /// <returns>A <see cref="NoContentResult"/> indicating success or a <see cref="BadRequestResult"/> or a <see cref="
 433    [HttpPost("{userId}/Policy")]
 434    [Authorize(Policy = Policies.RequiresElevation)]
 435    [ProducesResponseType(StatusCodes.Status204NoContent)]
 436    [ProducesResponseType(StatusCodes.Status400BadRequest)]
 437    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 438    public async Task<ActionResult> UpdateUserPolicy(
 439        [FromRoute, Required] Guid userId,
 440        [FromBody, Required] UserPolicy newPolicy)
 441    {
 442        var user = _userManager.GetUserById(userId);
 443        if (user is null)
 444        {
 445            return NotFound();
 446        }
 447
 448        // If removing admin access
 449        if (!newPolicy.IsAdministrator && user.HasPermission(PermissionKind.IsAdministrator))
 450        {
 451            if (_userManager.Users.Count(i => i.HasPermission(PermissionKind.IsAdministrator)) == 1)
 452            {
 453                return StatusCode(StatusCodes.Status403Forbidden, "There must be at least one user in the system with ad
 454            }
 455        }
 456
 457        // If disabling
 458        if (newPolicy.IsDisabled && user.HasPermission(PermissionKind.IsAdministrator))
 459        {
 460            return StatusCode(StatusCodes.Status403Forbidden, "Administrators cannot be disabled.");
 461        }
 462
 463        // If disabling
 464        if (newPolicy.IsDisabled && !user.HasPermission(PermissionKind.IsDisabled))
 465        {
 466            if (_userManager.Users.Count(i => !i.HasPermission(PermissionKind.IsDisabled)) == 1)
 467            {
 468                return StatusCode(StatusCodes.Status403Forbidden, "There must be at least one enabled user in the system
 469            }
 470
 471            var currentToken = User.GetToken();
 472            await _sessionManager.RevokeUserTokens(user.Id, currentToken).ConfigureAwait(false);
 473        }
 474
 475        await _userManager.UpdatePolicyAsync(userId, newPolicy).ConfigureAwait(false);
 476
 477        return NoContent();
 478    }
 479
 480    /// <summary>
 481    /// Updates a user configuration.
 482    /// </summary>
 483    /// <param name="userId">The user id.</param>
 484    /// <param name="userConfig">The new user configuration.</param>
 485    /// <response code="204">User configuration updated.</response>
 486    /// <response code="403">User configuration update forbidden.</response>
 487    /// <returns>A <see cref="NoContentResult"/> indicating success.</returns>
 488    [HttpPost("Configuration")]
 489    [Authorize]
 490    [ProducesResponseType(StatusCodes.Status204NoContent)]
 491    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 492    public async Task<ActionResult> UpdateUserConfiguration(
 493        [FromQuery] Guid? userId,
 494        [FromBody, Required] UserConfiguration userConfig)
 495    {
 496        var requestUserId = userId ?? User.GetUserId();
 497        var user = _userManager.GetUserById(requestUserId);
 498        if (user is null)
 499        {
 500            return NotFound();
 501        }
 502
 503        if (!RequestHelpers.AssertCanUpdateUser(User, user, true))
 504        {
 505            return StatusCode(StatusCodes.Status403Forbidden, "User configuration update not allowed");
 506        }
 507
 508        await _userManager.UpdateConfigurationAsync(requestUserId, userConfig).ConfigureAwait(false);
 509
 510        return NoContent();
 511    }
 512
 513    /// <summary>
 514    /// Updates a user configuration.
 515    /// </summary>
 516    /// <param name="userId">The user id.</param>
 517    /// <param name="userConfig">The new user configuration.</param>
 518    /// <response code="204">User configuration updated.</response>
 519    /// <response code="403">User configuration update forbidden.</response>
 520    /// <returns>A <see cref="NoContentResult"/> indicating success.</returns>
 521    [HttpPost("{userId}/Configuration")]
 522    [Authorize]
 523    [Obsolete("Kept for backwards compatibility")]
 524    [ApiExplorerSettings(IgnoreApi = true)]
 525    [ProducesResponseType(StatusCodes.Status204NoContent)]
 526    [ProducesResponseType(StatusCodes.Status403Forbidden)]
 527    public Task<ActionResult> UpdateUserConfigurationLegacy(
 528        [FromRoute, Required] Guid userId,
 529        [FromBody, Required] UserConfiguration userConfig)
 530        => UpdateUserConfiguration(userId, userConfig);
 531
 532    /// <summary>
 533    /// Creates a user.
 534    /// </summary>
 535    /// <param name="request">The create user by name request body.</param>
 536    /// <response code="200">User created.</response>
 537    /// <returns>An <see cref="UserDto"/> of the new user.</returns>
 538    [HttpPost("New")]
 539    [Authorize(Policy = Policies.RequiresElevation)]
 540    [ProducesResponseType(StatusCodes.Status200OK)]
 541    public async Task<ActionResult<UserDto>> CreateUserByName([FromBody, Required] CreateUserByName request)
 542    {
 543        var newUser = await _userManager.CreateUserAsync(request.Name).ConfigureAwait(false);
 544
 545        // no need to authenticate password for new user
 546        if (request.Password is not null)
 547        {
 548            await _userManager.ChangePassword(newUser, request.Password).ConfigureAwait(false);
 549        }
 550
 551        var result = _userManager.GetUserDto(newUser, HttpContext.GetNormalizedRemoteIP().ToString());
 552
 553        return result;
 554    }
 555
 556    /// <summary>
 557    /// Initiates the forgot password process for a local user.
 558    /// </summary>
 559    /// <param name="forgotPasswordRequest">The forgot password request containing the entered username.</param>
 560    /// <response code="200">Password reset process started.</response>
 561    /// <returns>A <see cref="Task"/> containing a <see cref="ForgotPasswordResult"/>.</returns>
 562    [HttpPost("ForgotPassword")]
 563    [ProducesResponseType(StatusCodes.Status200OK)]
 564    public async Task<ActionResult<ForgotPasswordResult>> ForgotPassword([FromBody, Required] ForgotPasswordDto forgotPa
 565    {
 566        var ip = HttpContext.GetNormalizedRemoteIP();
 567        var isLocal = HttpContext.IsLocal()
 568                      || _networkManager.IsInLocalNetwork(ip);
 569
 570        if (!isLocal)
 571        {
 572            _logger.LogWarning("Password reset process initiated from outside the local network with IP: {IP}", ip);
 573        }
 574
 575        var result = await _userManager.StartForgotPasswordProcess(forgotPasswordRequest.EnteredUsername, isLocal).Confi
 576
 577        return result;
 578    }
 579
 580    /// <summary>
 581    /// Redeems a forgot password pin.
 582    /// </summary>
 583    /// <param name="forgotPasswordPinRequest">The forgot password pin request containing the entered pin.</param>
 584    /// <response code="200">Pin reset process started.</response>
 585    /// <returns>A <see cref="Task"/> containing a <see cref="PinRedeemResult"/>.</returns>
 586    [HttpPost("ForgotPassword/Pin")]
 587    [ProducesResponseType(StatusCodes.Status200OK)]
 588    public async Task<ActionResult<PinRedeemResult>> ForgotPasswordPin([FromBody, Required] ForgotPasswordPinDto forgotP
 589    {
 590        var result = await _userManager.RedeemPasswordResetPin(forgotPasswordPinRequest.Pin).ConfigureAwait(false);
 591        return result;
 592    }
 593
 594    /// <summary>
 595    /// Gets the user based on auth token.
 596    /// </summary>
 597    /// <response code="200">User returned.</response>
 598    /// <response code="400">Token is not owned by a user.</response>
 599    /// <returns>A <see cref="UserDto"/> for the authenticated user.</returns>
 600    [HttpGet("Me")]
 601    [Authorize]
 602    [ProducesResponseType(StatusCodes.Status200OK)]
 603    [ProducesResponseType(StatusCodes.Status400BadRequest)]
 604    public ActionResult<UserDto> GetCurrentUser()
 605    {
 17606        var userId = User.GetUserId();
 17607        if (userId.IsEmpty())
 608        {
 0609            return BadRequest();
 610        }
 611
 17612        var user = _userManager.GetUserById(userId);
 17613        if (user is null)
 614        {
 0615            return BadRequest();
 616        }
 617
 17618        return _userManager.GetUserDto(user);
 619    }
 620
 621    private IEnumerable<UserDto> Get(bool? isHidden, bool? isDisabled, bool filterByDevice, bool filterByNetwork)
 622    {
 4623        var users = _userManager.Users;
 624
 4625        if (isDisabled.HasValue)
 626        {
 1627            users = users.Where(i => i.HasPermission(PermissionKind.IsDisabled) == isDisabled.Value);
 628        }
 629
 4630        if (isHidden.HasValue)
 631        {
 1632            users = users.Where(i => i.HasPermission(PermissionKind.IsHidden) == isHidden.Value);
 633        }
 634
 4635        if (filterByDevice)
 636        {
 0637            var deviceId = User.GetDeviceId();
 638
 0639            if (!string.IsNullOrWhiteSpace(deviceId))
 640            {
 0641                users = users.Where(i => _deviceManager.CanAccessDevice(i, deviceId));
 642            }
 643        }
 644
 4645        if (filterByNetwork)
 646        {
 0647            if (!_networkManager.IsInLocalNetwork(HttpContext.GetNormalizedRemoteIP()))
 648            {
 0649                users = users.Where(i => i.HasPermission(PermissionKind.EnableRemoteAccess));
 650            }
 651        }
 652
 4653        var result = users
 4654            .OrderBy(u => u.Username)
 4655            .Select(i => _userManager.GetUserDto(i, HttpContext.GetNormalizedRemoteIP().ToString()));
 656
 4657        return result;
 658    }
 659}
Generated by: ReportGenerator 5.4.18.0
11/22/2025 - 12:10:00 AM
GitHub | reportgenerator.io

Methods/Properties

.ctor(MediaBrowser.Controller.Library.IUserManager,MediaBrowser.Controller.Session.ISessionManager,MediaBrowser.Common.Net.INetworkManager,MediaBrowser.Controller.Devices.IDeviceManager,MediaBrowser.Controller.Net.IAuthorizationContext,MediaBrowser.Controller.Configuration.IServerConfigurationManager,Microsoft.Extensions.Logging.ILogger`1<Jellyfin.Api.Controllers.UserController>,MediaBrowser.Controller.QuickConnect.IQuickConnect,MediaBrowser.Controller.Playlists.IPlaylistManager)
GetUsers(System.Nullable`1<System.Boolean>,System.Nullable`1<System.Boolean>)
GetPublicUsers()
GetUserById(System.Guid)
AuthenticateWithQuickConnect(Jellyfin.Api.Models.UserDtos.QuickConnectDto)
GetCurrentUser()
Get(System.Nullable`1<System.Boolean>,System.Nullable`1<System.Boolean>,System.Boolean,System.Boolean)