Jump to content

Can't invite user to server but they have admin access?

Guest kkmia

By Guest kkmia
in General/Windows

 Share

Recommended Posts

Guest kkmia

Guest kkmia

Posted
Posted

I created a user account here and tried to invite to my Emby server via username and email. When I click invite it starts spinning, then it closes the Window and the user isn't popping up below pending or anything like that.

 

Then, I login through app.emby.media and I can see my server to select while being that user. While I am that user I click the server, click connect, and I'm logged in as the admin account. Does anyone know what is going on?

Guest kkmia

Guest kkmia

Posted
Posted

Also, just a follow-up. I created another account and that worked just fine. Can this account be deleted? The one I'm currently posting with, kkmia, needs to be deleted

Happy2Play

Happy2Play 9783

Posted
Posted

Also, just a follow-up. I created another account and that worked just fine. Can this account be deleted? The one I'm currently posting with, kkmia, needs to be deleted

 

@@Abobader

  • Like 1
  • 6 months later...
lucas200400

lucas200400 0

Posted
Posted (edited)

Just had the same thing happen. I created a new account for a family member. Without inviting them. I logged in as the new account and added my server. Then when I clicked on my server I was my admin account.

 

Honestly it should have kept me out and sent a request that someone would like access OR better yet hide the server when no invite is sent to the user. I really like how Plex handles it for security. Though a glaring security issue like this may make me stop my test deployment of Emby as this needs SERIOUS QA for the security hazzard. Especially since as admin I can delete content via desktop and mobile.

Edited by lucas200400
Happy2Play

Happy2Play 9783

Posted
Posted

Just had the same thing happen. I created a new account for a family member. Without inviting them. I logged in as the new account and added my server. Then when I clicked on my server I was my admin account.

 

Honestly it should have kept me out and sent a request that someone would like access OR better yet hide the server when no invite is sent to the user. I really like how Plex handles it for security. Though a glaring security issue like this may make me stop my test deployment of Emby as this needs SERIOUS QA for the security hazzard. Especially since as admin I can delete content via desktop and mobile.

 

You would need to list the exact steps taken as I just performed Add Local User and Invite with Emby Connect and neither user was created with Admin access.

lucas200400

lucas200400 0

Posted
Posted

You would need to list the exact steps taken as I just performed Add Local User and Invite with Emby Connect and neither user was created with Admin access.

Replication Steps:

  1. Create server, set to have external access with a standard admin account. Make sure you can get in externally with admin account.
    1. Go into server settings
    2. Edit users
    3. Make sure admin has [ ] 'Hide this user from login screens' (Uncheck marked, it was this way for me by default. Or risk of security breach wasn't made clear enough if this was part of the setup.)
  2. Open a not signed into emby browser session
  3. Create a new user account at http://app.emby.media
  4. Go back to http://app.emby.media and sign into the new account
  5. Add external server address from step 1.
  6. When shown to manually login, click admin users icon

Actual Result: You will be logged in as the admin and the new account won't be part of the server yet. This grants full admin credentials from what I can tell as you are signed in as the admin with no additional security checkpoints.

Expected Result: That you are requesting access to said server, or have a setting to keep uninvited users from adding servers exposed to the world, without first being invited by the admin.

 

That said, 'Hide this user from login screens' needs WAY better documentation and at least a secondary PIN code to protect it.

 

To verify this I did it a second time and gained admin access. [x] 'Hide this user...' seems to prevent this.

ebr Emby Team

ebr 16186

Posted
Posted

Hi.  Your step 4 has nothing to do with your server.   You just created an account on this forum/Emby Connect.

 

Then, in step 5 and 6 you logged into your server as the unprotected Admin account.

 

You should never expose any account externally without a password.  That appears to be the crux of what is going on here.

 

Please let us know if this answers your question.

 

Thanks!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...