Jump to content

EmbyCon user permissions affecting server security.


zimny
 Share

Recommended Posts

Hi guys,

 

I'm using EmbyCon and Embuary skin in my setuo. Also CentOS for Emby server and all is up to date. Users over LDAP plugin.

Under user profile I'm grating users only playback functionality to restrict any abusive behavior like unnecessary converting, downloading subtitles, deleting media, etc

 

The problem I have find is that even with this restrictions in place any user can delete collection of movies.

They can't delete media inside the collection but they can delete collection itself and then this is gone for all other users also.

 

I'm considering this security issue because that way one abusive user can do the mess for all others with collections of movies.

 

 

I also mention several times very limited default user setup under LDAP plugin.

Still need manually turn off "Allow media conversion", "Allow social media sharing" and "Allow this user to change their password and profile image".

 

In my opinion allowing by default media conversion can be considered security issue for Emby server.

 

Just imagine you have 100 users and all of them start converting media without your knowledge or converting to lower quality like you like a admin like to keep in library

Link to comment
Share on other sites

@@Luke

Deleting collections is a server issue, check the Web Client, you will still be able to delete Collections even if you have delete collections disabled in that users settings. I believe that is a server bug.

Link to comment
Share on other sites

@Luke

Deleting collections is a server issue, check the Web Client, you will still be able to delete Collections even if you have delete collections disabled in that users settings. I believe that is a server bug.

 

 

Yes I know this is a server issue.

 

This is why I have been reported that.

 

Hope we can get solution soon.

 

 

Also default setup for LDAP plugin should be included with be able to off by default some user rights in global plugin settings.

 

Still need manually turn off "Allow media conversion", "Allow social media sharing" and "Allow this user to change their password and profile image".

 

This can abuse the server also

 

 

I'm sorry if I posted that in wrong forum maybe moderator can correct me if this is an issue.

Edited by zimny
Link to comment
Share on other sites

All users can currently manipulate collections but it's something we plan to revamp in future updates.

 

 

 

Still need manually turn off "Allow media conversion", "Allow social media sharing" and "Allow this user to change their password and profile image".

 

This is not yet in the LDAP plugin configuration, but you can still configure it for each user after they have been imported into Emby Server.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...