Just discovered a potentially horrifying problem

[jluce50 122]

I have a "restricted" library and a user that only has access to that library. No other users have permission to see anything in that library. I discovered today that if I'm logged in as a user that shouldn't have access to that library, I can click the three-dot menu (or right click) on the Playlists item in the My Media section of the Home Screen, select Shuffle, and it will play items from the restricted library's playlists. Very not good! Clicking on the Playlists item just shows me the playlists I expect to see (i.e. not restricted playlists).

 

Edited January 19 by jluce50

[Luke 42077]

HI there, can you please provide a specific example?

How to Report a Problem

Thanks !

 

[jluce50 122]

On 1/19/2026 at 8:12 PM, Luke said:

HI there, can you please provide a specific example?

How to Report a Problem

Thanks !

 

 

Not sure what information is helpful, but here's the relevant info I can think of:

For the restricted library, "Exclude from global search" is enabled.

For my non-restricted user, the restricted library is unchecked in the Access panel of User settings.

It's difficult to reproduce since most of the time I get a "Playback error" or some other file from my library (no idea what's actually happening behind the scenes here...). I'll keep trying and post the relevant log info if I'm able to make it happen again.

[jluce50 122]

On 1/19/2026 at 8:12 PM, Luke said:

HI there, can you please provide a specific example?

How to Report a Problem

Thanks !

 

I was finally able to reproduce this again. I ran the test at 12:34, so I grabbed the relevant section of the log starting at 12:32 until the end. I replaced the title of the video with "[scrubbed]", but it should definitely not be playable by the user I'm logged in as. I know the whole log is ideal, but there's too much stuff to scrub out. Let me know if this isn't sufficient.

 

embyserver.txt

[pwhodges 2012]

Heh - so maybe your security concern over logs prevents you potentially giving enough information to fix another security concern  !   But actually, Luke will accept logs by PM, so you can get them to him that way for security.

Paul

[Tigga5 39]

Oh, this is awesome. Just tested this myself from my kid's account to see if it was a fluke. Literally the first thing that played was a restricted video from a library they don't even have access to. WTF??

This is truly pathetic. It's becoming a recurring theme that "Restricted" in Emby is just a polite suggestion rather than an actual permission. When are the devs going to start taking parental controls and data access seriously?

[jluce50 122]

6 hours ago, Tigga5 said:

Oh, this is awesome. Just tested this myself from my kid's account to see if it was a fluke. Literally the first thing that played was a restricted video from a library they don't even have access to. WTF??

This is truly pathetic. It's becoming a recurring theme that "Restricted" in Emby is just a polite suggestion rather than an actual permission. When are the devs going to start taking parental controls and data access seriously?

Is this you by any chance? Either way, looks like we're not the only ones frustrated by this...
 

 

[DarKni8 41]

Man this is some pathetic coding for such reputed app. It may be fixed in few years looking at track record

Edited January 25 by DarKni8

[Luke 42077]

Hi, this is resolved for the next set of server and app releases. Thanks.