Jump to content

/web/index.html#!/dashboard


Recommended Posts

strugglez
Posted

Hi there,

I've just recently discovered a non admin user can go to /web/index.html#!/dashboard once authenticated and essentially reload the page with the URL and still shutdown/restart the server and see active streams.

Am I missing something? I've disabled admin and remote control for this user.

  • Like 1
darkassassin07
Posted (edited)

Hmm, 

In my testing, I can load the dashboard page with a non-admin user however only the top section containing the server name, version, and lan/wan urls actually loads (info the clients already have), as well as the progress bars for any running tasks (this is new info to non-admins). The rest of the page is empty.

When clicking the shutdown/reload buttons, the client proceeds to ask if you're sure, then presents the 'restarting emby server' popup+loading wheel. The server does not actually perform the action though, and the log file shows it responding '403 forbidden' to the requests.

This is also true for changing the server name. (you can appear to in the client, but the server 403s it and doesn't perform the action)

 

While this doesn't reveal a whole lot of new info, non-admins still shouldn't be able to get this far I would think.

Edited by darkassassin07
Posted (edited)

Confirmed here.

A non-Admin account can go to server/web/index.html#!/dashboard and restart and shutdown the server.

Can't do much else.
 

Edited by CBers
Posted

Hi, thanks for reporting. We’ll take a look.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...