Emby API exposes user information to normal user

[Guest]

Hey,

 

I just discovered today that a normal user, not an admin user, a normal user can get some more user data from the emby api by calling the /users api method.
and with a bit more, i mean, a little bit too much in my opinion.

Usernames, if a password is set, which libraries, last login, policy.

 

Was this designed like this? This is bad in my opinion.

When i hide a user, i expect them to be hidden and not be shown by a simple api call.

 

For reference, the api data i got back (Keep in mind, im a normal user.)

  'Name': 'TestUser',
  'Policy': {'AccessSchedules': [],
             'AuthenticationProviderId': 'LDAP.AuthenticationProvider',
             'BlockUnratedItems': [],
             'BlockedTags': [],
             'DisablePremiumFeatures': False,
             'EnableAllChannels': True,
             'EnableAllDevices': True,
             'EnableAllFolders': False,
             'EnableAudioPlaybackTranscoding': True,
             'EnableContentDeletion': False,
             'EnableContentDeletionFromFolders': [],
             'EnableContentDownloading': True,
             'EnableLiveTvAccess': False,
             'EnableLiveTvManagement': False,
             'EnableMediaConversion': True,
             'EnableMediaPlayback': True,
             'EnablePlaybackRemuxing': True,
             'EnablePublicSharing': False,
             'EnableRemoteAccess': True,
             'EnableRemoteControlOfOtherUsers': False,
             'EnableSharedDeviceControl': True,
             'EnableSubtitleDownloading': False,
             'EnableSubtitleManagement': False,
             'EnableSyncTranscoding': True,
             'EnableUserPreferenceAccess': True,
             'EnableVideoPlaybackTranscoding': True,
             'EnabledChannels': [],
             'EnabledDevices': [],
             'EnabledFolders': ['f137a2dd21bbc1b99aa5c0f6bf02a805',
                                '43cfe12fe7d9d8d21251e0964e0232e2',
                                '0f920225b8e5aea2d18fa749191cbda7',
                                '7e64e319657a9516ec78490da03edccb',
                                'dbbcb697ad52d5e9939f9ec1e9fc2c07'],
             'ExcludedSubFolders': [],
             'InvalidLoginAttemptCount': 0,
             'IsAdministrator': False,
             'IsDisabled': False,
             'IsHidden': True,
             'IsHiddenRemotely': True,
             'RemoteClientBitrateLimit': 0},
  'ServerId': '97c88c7136a246c4b4510764de35xxxx'},
 {'Configuration': {'AudioLanguagePreference': 'eng',
                    'DisplayCollectionsView': False,
                    'DisplayMissingEpisodes': False,
                    'EnableLocalPassword': False,
                    'EnableNextEpisodeAutoPlay': False,
                    'GroupedFolders': [],
                    'HidePlayedInLatest': True,
                    'LatestItemsExcludes': [],
                    'MyMediaExcludes': [],
                    'OrderedViews': [],
                    'PlayDefaultAudioTrack': False,
                    'RememberAudioSelections': True,
                    'RememberSubtitleSelections': True,
                    'SubtitleLanguagePreference': 'eng',
                    'SubtitleMode': 'Default'},
  'HasConfiguredEasyPassword': False,
  'HasConfiguredPassword': True,
  'HasPassword': True,
  'Id': 'ae93cc9d3b8543b5be212d6833f9cdbc',
  'LastActivityDate': '2019-05-13T18:19:31.7845417+00:00',
  'LastLoginDate': '2019-04-18T17:45:59.3339433+00:00',

In a family household this is barely okay, but this in a company? Nope.

 

Wouldnt it be better to first authenticate the user and then only show him information about his account and not all accounts on the server?

 

[Luke 42078]

Hi, yes we can look at improving this, thanks.