Jump to content

Permission bug. Everyone can access Live TV

shocker

By shocker
in Live TV

 Share

Recommended Posts

shocker

shocker 135

Posted
Posted (edited)

Hello,

   If you enable/disable LiveTV library for a user, that user will still be able to access the library via the Live TV endpoint URL, e.g. https://emby.server.tld/web/index.html\#\!/livetv/livetv.html\?serverId\=you_server_id

 

How to reproduce:

   Enable Live TV for a user.

   Go to live tv, save the URL.

   Disable Live TV for the user.

   You will see that the Live TV is not visible in the library, but if you enter the saved URL you will be able to access the Live TV.

 

This is common if users are saving the LiveTV URL's as a bookmark and they can bypass your option.

 

Thanks!

Edited by shocker
Carlo

Carlo 4561

Posted
Posted

What happens if you log out and then log back in again?  Does the URL still work?

shocker

shocker 135

Posted
  • Author
Posted

What happens if you log out and then log back in again?  Does the URL still work?

 

Just tested, yes the url is still valid even that I don't have the live tv permission. It's just me or you can reproduce this as well?

Carlo

Carlo 4561

Posted
Posted

Yes I was able to reproduce it as well.

 

This doesn't seem to work for Movie or TV show libraries or the admin dashboard but only in LiveTV.

 

Looks like a security check is missing in this section of code.

@@Luke

Luke Emby Team

Luke 42078

Posted
Posted

Thanks for the report. We'll take a look.

  • 1 month later...
shocker

shocker 135

Posted
  • Author
Posted

Thanks for the report. We'll take a look.

Hello,

Any findings ?

 

Thanks

Luke Emby Team

Luke 42078

Posted
Posted

We'll review this for a future update, thanks.

Sammy

Sammy 790

Posted
Posted

Fortunately for me none of my users are smart enough to do this..

Spaceboy

Spaceboy 2573

Posted
Posted

Fortunately for me none of my users are smart enough to do this..

i know but this just highlights the shortcuts and hacks that have been used in getting to where we are now. What other shortcuts have been taken that haven’t been discovered by users here yet?

 

Its impossible to not think about the security breaches we saw a few weeks ago. How can the devs be SO certain they have identified the issue when anyone would naturally assume that this approach is taken across the board?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...