More granular controls for sharing playlists with other users

[Clackdor 19]

I definitely like the new playlist system as it''s nice not having all created playlists show up for anyone with access. Being able to share playlists is definitely a desirable feature, and having that configurable as a per user option was the right approach.

Currently the biggest caveat for enabling that option for a user is that they now have a complete list of all user accounts on the server, including admin accounts.

This is enough to make me want to keep it disabled for the time being as there are numerous downsides and concerns with providing a full list of all users (especially admin accounts) just for the sake of enabling playlist sharing.

I'm not sure if this is something that is already planned, but there should be an additional selection option when enabling this feature to control what other users that particular user can share a playlist with. 

That kind of granularity in the controls will make it a useable feature for more security conscious setups where a full user list enumeration is not desirable. 

[brios 1]

You can share a playlist with other people?  I am running 4.8.0.80, i see an option to "Manage Collaboration", but it always defaults back to private.  Where do you see the option to share a playlist with other people?

 

[Clackdor 19]

@briosFrom an admin account go to manage server>users> select a user. Under profile you'll see an option that says "Allow sharing personal content such as playlists with other users on this server" Afterwards you'll see the list of users when you go to "Manage Collaboration" from a playlist for that user.

Like I said above this gives that user access to the full list of users on the server, including admin accounts, so keep that in mind when enabling.

[brios 1]

Thank you, works great.  I was joing going to enable it for myself as the Admin, so i can share my playlist with family members.  

[Clackdor 19]

No problem! Hopefully one of the devs will chime in on this thread at some point. I really think there needs to be more control on what users are visible to a user with this option enabled.

[TeamB 2352]

6 hours ago, Clackdor said:

there are numerous downsides and concerns with providing a full list of all users

can you list a few please, i am looking for security reasons, not things like "i have my girlfriend and ex-girlfriend on here and dont want them to know"

i am also assuming all users on a multi user setup have good passwords.

[darkassassin07 423]

I think the current checkbox plus another list under the 'access' tab of a users settings selecting which other users a user can see to share with, would work really well.

 

A user could then:

- keep a playlist private, while adding individual users as view/edit (limited to the list they have access to)

- change it to public/collaborative where all users can see, but they can still select from their limited list who can edit.

 

 

Admins should always be able to view/edit. I don't think they can at the moment. (at least not in my testing)

 

Finally it would be good to indicate who a playlist belongs too. Currently the only indicator is if the 'manage collaboration' button exists, it's your playlist. Beyond that you can't tell who owns what.

[Luke 37068]

More control over the list of visible users is certainly possible for future updates. Thanks.

[darkassassin07 423]

6 minutes ago, TeamB said:

can you list a few please, i am looking for security reasons, not things like "i have my girlfriend and ex-girlfriend on here and dont want them to know"

i am also assuming all users on a multi user setup have good passwords.

Mostly just exposing admin usernames where really unnecessary. One less piece for an attacker to figure out. Not a major flaw, but a flaw.

Assuming all users have good passwords isn't great; emby has no controls to enforce password requirements aside from setting them yourself and removing permissions to change passwords.

 

 

For me I'd just like the privacy options and to keep things tidy. Family doesn't need to see personal friends, and different friend groups don't need to mix. I'm sure everyone has their own requirements/desires for privacy; that'll vary quite a bit.

[Clackdor 19]

2 minutes ago, TeamB said:

can you list a few please, i am looking for security reasons, not things like "i have my girlfriend and ex-girlfriend on here and dont want them to know"

i am also assuming all users on a multi user setup have good passwords.

I'd say the biggest concern security wise is having the names of admin accounts exposed to regular users, or say an account that is strictly designated as the default for DLNA. 

From a usability standpoint it would be nice to have some isolation so that for example my sister in law and brother in law can share playlists with each other, and my wife and I can share playlists with each other, but not have the playlists be inadvertently shared between the two groups and creating unwanted clutter. 

[TeamB 2352]

46 minutes ago, darkassassin07 said:

Mostly just exposing admin usernames where really unnecessary

from just a username you dont know who is an admin, its just a list of users and they should all have good passwords.

49 minutes ago, darkassassin07 said:

For me I'd just like the privacy options and to keep things tidy. Family doesn't need to see personal friends, and different friend groups don't need to mix. I'm sure everyone has their own requirements/desires for privacy; that'll vary quite a bit.

so it's the "my ex-girlfriend and my current girlfriend are on here and I dont want them to know" or perhaps mistress and wife? just funning with you, no need to lose your mind.

51 minutes ago, Clackdor said:

From a usability standpoint it would be nice to have some isolation so that for example my sister in law and brother in law can share playlists with each other, and my wife and I can share playlists with each other, but not have the playlists be inadvertently shared between the two groups and creating unwanted clutter. 

I feel this is a small edge case.

If you really want to keep your user bases separate, why not set up separate servers, one for family and one for the rabble.

[darkassassin07 423]

5 minutes ago, TeamB said:

from just a username you dont know who is an admin, its just a list of users and they should all have good passwords.

Sure; but you went from having no idea what the admin usernames could be, to an all inclusive list of users that definitely contains at least one admin. As I said pretty minor, but still a flaw.

 

 

On privacy: more that my immature friends don't need to be sharing content with my grandmother...

I've also read of users here with 50+ accounts on their servers. That's a lot of clutter to scroll through when most of those would only share with a handful of others.

[Clackdor 19]

1 minute ago, TeamB said:

from just a username you dont know who is an admin, its just a list of users and they should all have good passwords.

so it's the "my ex-girlfriend and my current girlfriend are on here and I dont want them to know" or perhaps mistress and wife? just funning with you, no need to lose your mind.

I feel this is a small edge case.

If you really want to keep your user bases separate, why not set up separate servers, one for family and one for the rabble.

There are cases when it could be extremely obvious who the admin is if the word "admin" or any other similar distinction is in the username, which I'm sure is fairly common even if it's not a best practice. While a strong password should be set for all accounts, having the option would decrease unnecessary exposure of account names in general.

Another issue with exposing all users to everyone would be using ldap to authenticate some/all users in emby as those accounts correlate to usernames used elsewhere in active directory or another directory server.

I personally use AD at home (yeah a bit masochistic I know) but I also have some users just using emby's built in auth. I may not want to expose an account name that's used to authenticate several other services to users using the built in authentication. 

As for usability, I'll provide another example as to why this would be useful for even just in the home, ignoring any remote users. 

Let's say I want my kids to be able to share playlists with only each other, but I want my wife and I to be able to share playlists with the kids as well as each other. As it stands right now if I want my kids to be able to share playlists with each other, I have to worry about them sharing 10 different playlists of paw patrol or something with my wife and I, thus cluttering up our libraries with things we don't want.

There are numerous reasons why it would be desirable from a usability/isolation standpoint, and having the option to select who can share what with who would cover pretty much every imaginable edge case. 

 

[TeamB 2352]

Just to be clear, I am not for or against this, I am just trying to work out why people want it.

29 minutes ago, darkassassin07 said:

Sure; but you went from having no idea what the admin usernames could be, to an all inclusive list of users that definitely contains at least one admin. As I said pretty minor, but still a flaw.

Remember to get to this list you need to be logged into the system already.

I think an easy solve here is just a tick box that says dont include admin accounts in group user selection. No need for complex user list selection, editing, storing, enforcing, code complexity, security model complexity users not understanding WFT is going on etc.

32 minutes ago, darkassassin07 said:

On privacy: more that my immature friends don't need to be sharing content with my grandmother...

I am sure grandmothers (not point at yours but in general) in general have seen more shit than you and I combined. But I guess kids might be something that might need protecting.

33 minutes ago, darkassassin07 said:

I've also read of users here with 50+ accounts on their servers. That's a lot of clutter to scroll through when most of those would only share with a handful of others.

We are now getting way past a private media server.

[TeamB 2352]

3 minutes ago, Clackdor said:

There are cases when it could be extremely obvious who the admin is if the word "admin" or any other similar distinction is in the username, which I'm sure is fairly common even if it's not a best practice. While a strong password should be set for all accounts, having the option would decrease unnecessary exposure of account names in general.

The good old security through obscurity model, I love it.

5 minutes ago, Clackdor said:

I personally use AD at home (yeah a bit masochistic I know) but I also have some users just using emby's built in auth. I may not want to expose an account name that's used to authenticate several other services to users using the built in authentication. 

you love masochism, set up multiple server

7 minutes ago, Clackdor said:

Let's say I want my kids to be able to share playlists with only each other, but I want my wife and I to be able to share playlists with the kids as well as each other. As it stands right now if I want my kids to be able to share playlists with each other, I have to worry about them sharing 10 different playlists of paw patrol or something with my wife and I, thus cluttering up our libraries with things we don't want.

A better way forward might be to just restrict the creation of shared playlist in the user setup, like you can limit users to certain actions, add playlist here so your kids cant create playlists.

I am just playing devil's advocate here, @Lukewill do as he sees fit as he does and my 2 cents are as follows:

- have a checkbox on the playlist enable page to not include admin users in the user list shown
- have a checkbox on the user setup page to allow/block users from creating playlists

I guess what I am trying to do is get away from having to manage individual user lists for each user on who they can add to playlists, this would be such a pain in the ass to implement.

[Clackdor 19]

14 minutes ago, TeamB said:

I guess what I am trying to do is get away from having to manage individual user lists for each user on who they can add to playlists, this would be such a pain in the ass to implement.

While code complexity is definitely a big factor in implementing this fully, at minimum being able to hide admin accounts and perhaps other select accounts from playlist sharing would be an ideal compromise.

As far as a full fledged implementation goes, (assuming that it can be done without adding too much complexity or introducing other issues) I think it would be ideal to have playlist sharing options have its own page much like library access controls do. That would provide separation from a UI perspective and make it more intuitive for admins to implement the per user controls for who a user can share playlists with. 

@TeamB@Luke I also just want to make it clear that I appreciate all the hard work that goes into emby from a development and support aspect.

I'm definitely not trying to be that guy that demands that my feature request be fully implemented and fleshed out exactly the way I want, and get buthurt when/if it doesn't. Just trying to make suggestions that can help the versatility/usability and possibly security where applicable. I've been using emby for years and decided I should probably start contributing on the forums to help others and try to help make the product better overall.

So again I'm going to say thank you to the whole team, and to all the regulars who help keep the wheels turning here.

[ebr 14913]

17 hours ago, TeamB said:

can you list a few please, i am looking for security reasons,

To me, this is a back-door around the options we have in the server to hide users from login screens.  Those options become kinda useless if we're just gonna allow anyone to see the entire user base with a right click...

[TeamB 2352]

5 hours ago, ebr said:

To me, this is a back-door around the options we have in the server to hide users from login screens.  Those options become kinda useless if we're just gonna allow anyone to see the entire user base with a right click...

no its not, one is pre auth and the other is post auth.

this is also currently optional (sharing playlists) just like the hide user at login screen is.

again i am not really for or against adding this, just trying to work through all the cooky logic people have in their heads.

 

Edited February 5 by TeamB

[ebr 14913]

15 minutes ago, TeamB said:

no its not, one is pre auth and the other is post auth.

Okay, so, yeah, its more of a wife/mistress thing.

[darkassassin07 423]

I don't care if they're authed as a regular user or not I do not want the usernames of my administrator account(s) displayed to my users.

 

I have no control over other users clients and whether they leave them unattended. Nor can I enforce password complexity requirements. Because of these; I cannot ensure the person looking at that list is the authenticated user.

 

Regardless; I don't want my regular users knowing my admin usernames giving them one less hurdle to potentially exploiting any future auth insecurities.

[TeamB 2352]

49 minutes ago, darkassassin07 said:

I have no control over other users clients and whether they leave them unattended. Nor can I enforce password complexity requirements. Because of these; I cannot ensure the person looking at that list is the authenticated user.

if that is the hill you want to die on, you absolutely can control the password rules, use LDAP, set it up with whatever rules for password you want.

Edited February 5 by TeamB

[darkassassin07 423]

42 minutes ago, darkassassin07 said:

I have no control over other users clients and whether they leave them unattended. 

Regardless; I don't want my regular users knowing my admin usernames giving them one less hurdle to potentially exploiting any future auth insecurities.

Here, I'll fill the rest back in for you.

 

Stop reading between the lines. There's more than one point here.

[Clackdor 19]

27 minutes ago, TeamB said:

no its not, one is pre auth and the other is post auth.

this is also currently optional (sharing playlists) just like the hide user at login screen is.

again i am not really for or against adding this, just trying to work through all the cooky logic people have in their heads

The logic is pretty simple really. Being able to give users the abilities to share playlists with other users where it makes sense, and not otherwise unnecessarily exposing usernames.

15 minutes ago, ebr said:

Okay, so, yeah, its more of a wife/mistress thing.

Not really at all. I've outlined several reasons why this is a desirable feature that don't simply equate to "I don't want my wife to know my mistress is on the server" That kind of wording is extremely dismissive despite numerous valid reasons that have already been provided as to why this would be useful in a variety of situations. 

Unnecessarily exposing all usernames on the server(especially admin accounts) to all other users is just bad opsec in general, and there are a number of ways this could cause problems and frustration for the server admin or amongst their users.

Imagine having friends or relatives that you get along with, but they don't get along with each other. See how enabling this could get abused? Cousin Larry hates cousin Fred, so Larry makes 20 different playlists of Golden Girls and shares them with Fred. Or better yet, say the admin has fail2ban monitoring failed login attempts for emby and Fred thinks it's funny to get Larry's IP banned. Or the admin is using AD authentication (like I am) and little nephew Johnny thinks he's going to try to guess uncle's password. Next thing you know uncle admin is locked out of his computer because there was a lockout policy set in AD after 5 failed attempts. 

I get that the playlist sharing is an optional feature, but it's a very useful one. It's usefulness is greatly diminished though by the fact that anyone can share anything with anyone when enabled, and can also see all other accounts on the server.

You guys are missing the point that giving server admins the ability to better control permissions while still being able give their users the ability to use a highly desirable feature would be a good thing. 

 

 

 

 

 

 

[rbjtech 4266]

A lot of this was discussed during the Beta release of this.

Seriously, what's wrong with having groups and only showing what you have the priviledges to see ?     Pretty basic stuff ...

Not to mention, it's a lot more user friendly to click (or remote control click) on 'family group' or 'friends group' then it is to have to individually select all the users .. 

Edited February 5 by rbjtech

[TeamB 2352]

19 minutes ago, darkassassin07 said:

Here, I'll fill the rest back in for you.

ok no problem, fix my post to not include your full post, little pedantic but I get you.

19 minutes ago, darkassassin07 said:

Stop reading between the lines. There's more than one point here.

Was just doing a full quote, will remember to sub quote with you from now on

18 minutes ago, Clackdor said:

The logic is pretty simple really. Being able to give users the abilities to share playlists with other users where it makes sense, and not otherwise unnecessarily exposing usernames.

yep, agree, for people that are sensitive to this and have user environments where this is not desirable they don't have to turn it on, this would be a very small user edge case, for everyone else with their "Home Media Server" they just check the box "Don't include admin users in playlist share user lists"

18 minutes ago, Clackdor said:

I've outlined several reasons why this is a desirable feature that don't simply equate to "I don't want my wife to know my mistress is on the server" That kind of wording is extremely dismissive despite numerous valid reasons that have already been provided as to why this would be useful in a variety of situations. 

Might be a good idea to add them to the first post.

The admin users is the main one from what I can see. As I mentioned, can be fixed with a checkbox in the playlist share enable screen.

16 minutes ago, rbjtech said:

A lot of this was discussed during the Beta release of this.

And the beta users (a very small % of emby users) had a bit of a discussion on it. Now it is released, all users can experience it and have a chat about it, as we are doing.

16 minutes ago, rbjtech said:

Seriously, what's wrong with having groups and only showing what you have the priviledges to see ?     Pretty basic stuff ...

Nothing wrong with it, in fact if the Emby team was infinite I would be suggesting some of the craziest shit you have ever heard, but they are not. Because it might be overkill for a personal home media server when something as simple as a checkbox on the playlist share screen to limit admins users in the user list can solve for 90% of this edge case issue.

Edited February 5 by TeamB