Bug in "content rights" under "Direct Link". Authorization by LDAP

[Santrex 7]

Good afternoon.
I wanted to draw your attention to the following question...
We use LDAP Authorization (via Plugin) and regulate access for each client at the level of Medialibrary and Sub-folders.
And it works great!

By default - each User who is an Authorizer on LDAP method gets an Empt set of rights on All MediaLibrary. (hereinafter, according to his Rights Template, he is given a set of Folders he needs).


At the same time, each content (videos or movie) has a "unique" link.

We noticed that a number of users began to share these links among themselves.
And these users (from other departments of the company) should not have access to them.
However, such "Direct Links" are not protected by EMBY in any way.

We think it's a BUG! We would like you to consider this as it is a potential account through which users can access content bypassing "permissions".

Thank you!
 

Edited February 13, 2023 by Santrex

[Happy2Play 9782]

Don't know anything about the LDAP plugin, Devs will have to comment, but yes knowing the url/itemid can circumvent access restrictions on an authenticated user in my tests. @Luke

tested current release and beta (if itemid is known any item can be accessed)

 

Edited February 13, 2023 by Happy2Play

[Santrex 7]

On 2/14/2023 at 2:00 AM, Happy2Play said:

Don't know anything about the LDAP plugin, Devs will have to comment, but yes knowing the url/itemid can circumvent access restrictions on an authenticated user in my tests. @Luke

tested current release and beta (if itemid is known any item can be accessed)

 

Yes, that's right. The problem is exactly this.
Can you do it? Perhaps some kind of "key" in order to be able to switch these access check modes.

[Luke 42080]

HI, we'll take a look at it. Thanks for reporting.