Guest Posted May 13, 2019 Posted May 13, 2019 Hey, I just discovered today that a normal user, not an admin user, a normal user can get some more user data from the emby api by calling the /users api method.and with a bit more, i mean, a little bit too much in my opinion. Usernames, if a password is set, which libraries, last login, policy. Was this designed like this? This is bad in my opinion. When i hide a user, i expect them to be hidden and not be shown by a simple api call. For reference, the api data i got back (Keep in mind, im a normal user.) 'Name': 'TestUser', 'Policy': {'AccessSchedules': [], 'AuthenticationProviderId': 'LDAP.AuthenticationProvider', 'BlockUnratedItems': [], 'BlockedTags': [], 'DisablePremiumFeatures': False, 'EnableAllChannels': True, 'EnableAllDevices': True, 'EnableAllFolders': False, 'EnableAudioPlaybackTranscoding': True, 'EnableContentDeletion': False, 'EnableContentDeletionFromFolders': [], 'EnableContentDownloading': True, 'EnableLiveTvAccess': False, 'EnableLiveTvManagement': False, 'EnableMediaConversion': True, 'EnableMediaPlayback': True, 'EnablePlaybackRemuxing': True, 'EnablePublicSharing': False, 'EnableRemoteAccess': True, 'EnableRemoteControlOfOtherUsers': False, 'EnableSharedDeviceControl': True, 'EnableSubtitleDownloading': False, 'EnableSubtitleManagement': False, 'EnableSyncTranscoding': True, 'EnableUserPreferenceAccess': True, 'EnableVideoPlaybackTranscoding': True, 'EnabledChannels': [], 'EnabledDevices': [], 'EnabledFolders': ['f137a2dd21bbc1b99aa5c0f6bf02a805', '43cfe12fe7d9d8d21251e0964e0232e2', '0f920225b8e5aea2d18fa749191cbda7', '7e64e319657a9516ec78490da03edccb', 'dbbcb697ad52d5e9939f9ec1e9fc2c07'], 'ExcludedSubFolders': [], 'InvalidLoginAttemptCount': 0, 'IsAdministrator': False, 'IsDisabled': False, 'IsHidden': True, 'IsHiddenRemotely': True, 'RemoteClientBitrateLimit': 0}, 'ServerId': '97c88c7136a246c4b4510764de35xxxx'}, {'Configuration': {'AudioLanguagePreference': 'eng', 'DisplayCollectionsView': False, 'DisplayMissingEpisodes': False, 'EnableLocalPassword': False, 'EnableNextEpisodeAutoPlay': False, 'GroupedFolders': [], 'HidePlayedInLatest': True, 'LatestItemsExcludes': [], 'MyMediaExcludes': [], 'OrderedViews': [], 'PlayDefaultAudioTrack': False, 'RememberAudioSelections': True, 'RememberSubtitleSelections': True, 'SubtitleLanguagePreference': 'eng', 'SubtitleMode': 'Default'}, 'HasConfiguredEasyPassword': False, 'HasConfiguredPassword': True, 'HasPassword': True, 'Id': 'ae93cc9d3b8543b5be212d6833f9cdbc', 'LastActivityDate': '2019-05-13T18:19:31.7845417+00:00', 'LastLoginDate': '2019-04-18T17:45:59.3339433+00:00', In a family household this is barely okay, but this in a company? Nope. Wouldnt it be better to first authenticate the user and then only show him information about his account and not all accounts on the server?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now