shocker 113 Posted March 29, 2019 Share Posted March 29, 2019 (edited) Hello, If you enable/disable LiveTV library for a user, that user will still be able to access the library via the Live TV endpoint URL, e.g. https://emby.server.tld/web/index.html\#\!/livetv/livetv.html\?serverId\=you_server_id How to reproduce: Enable Live TV for a user. Go to live tv, save the URL. Disable Live TV for the user. You will see that the Live TV is not visible in the library, but if you enter the saved URL you will be able to access the Live TV. This is common if users are saving the LiveTV URL's as a bookmark and they can bypass your option. Thanks! Edited March 29, 2019 by shocker Link to comment Share on other sites More sharing options...
Carlo 4330 Posted March 29, 2019 Share Posted March 29, 2019 What happens if you log out and then log back in again? Does the URL still work? Link to comment Share on other sites More sharing options...
shocker 113 Posted March 29, 2019 Author Share Posted March 29, 2019 What happens if you log out and then log back in again? Does the URL still work? Just tested, yes the url is still valid even that I don't have the live tv permission. It's just me or you can reproduce this as well? Link to comment Share on other sites More sharing options...
Carlo 4330 Posted March 29, 2019 Share Posted March 29, 2019 Yes I was able to reproduce it as well. This doesn't seem to work for Movie or TV show libraries or the admin dashboard but only in LiveTV. Looks like a security check is missing in this section of code. @@Luke Link to comment Share on other sites More sharing options...
Luke 37099 Posted March 30, 2019 Share Posted March 30, 2019 Thanks for the report. We'll take a look. Link to comment Share on other sites More sharing options...
shocker 113 Posted May 8, 2019 Author Share Posted May 8, 2019 Thanks for the report. We'll take a look. Hello, Any findings ? Thanks Link to comment Share on other sites More sharing options...
Luke 37099 Posted May 8, 2019 Share Posted May 8, 2019 We'll review this for a future update, thanks. Link to comment Share on other sites More sharing options...
Sammy 738 Posted May 9, 2019 Share Posted May 9, 2019 Fortunately for me none of my users are smart enough to do this.. Link to comment Share on other sites More sharing options...
Spaceboy 2494 Posted May 9, 2019 Share Posted May 9, 2019 Fortunately for me none of my users are smart enough to do this..i know but this just highlights the shortcuts and hacks that have been used in getting to where we are now. What other shortcuts have been taken that haven’t been discovered by users here yet? Its impossible to not think about the security breaches we saw a few weeks ago. How can the devs be SO certain they have identified the issue when anyone would naturally assume that this approach is taken across the board? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now