Security Issues? Or just due to reverse proxy?

[pir8radio 1292]

I have a guest user setup with no privileges, though the links are hidden from the GUI this user can still type in /web/edititemmetadata.html  and edit metadata,  same goes for user preferences...         I have yet to test this bypassing the reverse proxy, i hope that's the issue.   Otherwise the security settings don't do anything if your familiar with the media browser paths.   Can someone confirm or deny please.

[Rowlett 9]

i've just tried today without using reverse proxy and also get same results - a user with guest access using direct links (like the one you posted) was able to access everything

[pir8radio 1292]

Is this something that we can get fixed in the next release?   Pretty please?

Edited March 13, 2015 by pir8radio

[pir8radio 1292]

Just a BUMP reminder, I can not open my server to the general public if they can bypass security settings and change my files, or edit their user profile. I will continue to search for some holes, if i find many more ill just make a new thread...

[pir8radio 1292]

@@Luke @@ebr  These security holes are still in the new beta.

[Luke 37092]

the api is secure, and that will prevent them from making any changes. it's just the html and that will be looked at in a future release