Oceanus 6 Posted December 29, 2020 Author Share Posted December 29, 2020 (edited) On 12/26/2020 at 9:56 PM, cayars said: The "vulnerability" in itself is that a non-admin can get to any admin section (regardless of what they can see or change). exactly! Edited December 29, 2020 by Oceanus Link to comment Share on other sites More sharing options...
Painkiller8818 203 Posted January 5, 2021 Share Posted January 5, 2021 Any updates here? 1 Link to comment Share on other sites More sharing options...
Luke 36997 Posted January 7, 2021 Share Posted January 7, 2021 Yes we're looking into it, thanks. Link to comment Share on other sites More sharing options...
Thomas64 38 Posted January 8, 2021 Share Posted January 8, 2021 (edited) Could this be associated with a User who is NOT set to "Allow this user to manage the server" still seeing the "Manage Emby Server" icon in the Web Interface? Should the "Manage Emby Server" Icon even be there for a user not enabled to do so? Maybe there is some shared code/logic at work allowing both situations to happen? The user I am logged in as to get this screen snip is NOT allowed to manage the server - but still gets the Icon.. In this instance, the "Manage Emby Server" icon ends up just giving the same exact options as the normal Settings Icon - which makes one of them redundant. For a User who IS allowed to manage the server - both the normal Settings Icon and "Manage Emby Server" Icon give the exact same options (to change user settings AND manage the server). The Emby Server Icon just takes you directly to the Dashboard first. Edited January 8, 2021 by Thomas64 Link to comment Share on other sites More sharing options...
Happy2Play 8237 Posted January 8, 2021 Share Posted January 8, 2021 (edited) 19 minutes ago, Thomas64 said: Could this be associated with a User who is NOT set to "Allow this user to manage the server" still seeing the "Manage Emby Server" icon in the Web Interface? Should the "Manage Emby Server" Icon even be there for a user not enabled to do so? Maybe there is some shared code/logic at work allowing both situations to happen? The user I am logged in as to get this screen snip is NOT allowed to manage the server - but still gets the Icon.. In this instance, the "Manage Emby Server" icon ends up just giving the same exact options as the normal Settings Icon - which makes one of them redundant. For a User who IS allowed to manage the server - both the normal Settings Icon and "Manage Emby Server" Icon give the exact same options (to change user settings AND manage the server). The Emby Server Icon just takes you directly to the Dashboard first. Unless there is a browser cache issue I have never seen a user that does not have "Allow this user to manage the server" enabled have the option displayed on screen. Looks like this is a change that I just never noticed. But does not show any dashboard stuff. But the issue in this topic is users using urls to get to said locations. Edited January 8, 2021 by Happy2Play Link to comment Share on other sites More sharing options...
Carlo 4330 Posted January 8, 2021 Share Posted January 8, 2021 You and me both Happ2Play. I've never held the mouse over the icon to pull up the description. That might however be better with a tooltip such as "Configuration" vs "Manage Emby Server". Link to comment Share on other sites More sharing options...
Thomas64 38 Posted January 8, 2021 Share Posted January 8, 2021 (edited) 21 hours ago, Happy2Play said: But the issue in this topic is users using urls to get to said locations. Gotcha'... Was just thinking maybe the underlying coding was allowing both situations to happen. Edited January 8, 2021 by Thomas64 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now