[Solved] Playlist Accessability

Post your Server Bug Report

[Solved] Playlist Accessability

Unread postby troycarpenter » 10 Feb 2015, 19:25

First, let me define some terms because I started to confuse myself while writing this in another forum. For playlists, I'm using three specific terms: See=A playlist visible in the playlist list. Use=Able to view and play the songs on the list. Edit=Change any properties of the list (name and public/private) implies they can use it as well.

Using MADSONIC 5.2.5420.20141215.0303 with Madsonic and dSub clients. Issue happens with both clients.

For non-administrators, playlists seem to be working as expected. Using Dsub as a client, a non-admin user can see and edit their own playlists. They can also see and use public lists (not edit). A non-admin user cannot see other users' private lists.

As an admin user, in Dsub I can see every playlist, public or private from any user. I am presented all the options for all those lists (play the playlist, or even edit the properties). However, if I try to use or edit any private list, I get an authorization error. With Madsonic client I've not figured out how to edit a playlist, but I certainly can't use any private list even though I can see them.

I would like for an admin level user at a minimum to be able to use a private list from another user, especially since the admin user can see the list. An add on would be to let the admin user change the public/private flag and possibly delete the list. Best case would be complete control just like is available through the web interface.

Right now it seems like a bug to give the admin user the ability to see all the lists, but not be able to even use one of them. Access to use the lists and at least edit the public/private flag would help me in my multi-user family where everyone has their own accounts and often forget to create playlists with the public flag set. I would then be able to load their lists on my phone while traveling, or let them share lists with each other when they forget to set the public flag.
User avatar
troycarpenter
 
Posts: 120
Joined: 03 Dec 2013, 19:16
Location: Georgia, USA
Has thanked: 19 times
Been thanked: 49 times

Re: Playlist Accessability

Unread postby DoCC » 10 Feb 2015, 20:35

ehm are you talking about using some wierd mobile clients ?
for administration purposes always use the normal webinterface.
User avatar
DoCC
Contributor
Contributor
 
Posts: 210
Joined: 25 Feb 2014, 14:41
Location: UpperBavaria : ))
Has thanked: 41 times
Been thanked: 71 times

Re: Playlist Accessability

Unread postby troycarpenter » 10 Feb 2015, 20:46

The Madsonic Android client is a "weird mobile client"? I can duplicate the bug with it as well. I was providing evidence that it's not a client issue because it happens in two separate *sonic clients.

In Madsonic Android client, as an admin user, I can see every playlist on the system, but I get an authorization error if I try to use any one that is marked private.

Either one of two things needs to change...either the admin user can't see every playlist (then the bug is that the admin user can see lists that should not be visible), or give the admin user access to every list (in which case the bug is that the admin user isn't properly authorized to use the lists). I would think everyone would prefer the later solution, and that's probably what is intended since the admin user can see the lists.

Whichever direction it goes, there is still a bug on the server.
User avatar
troycarpenter
 
Posts: 120
Joined: 03 Dec 2013, 19:16
Location: Georgia, USA
Has thanked: 19 times
Been thanked: 49 times

Re: Playlist Accessability

Unread postby DoCC » 11 Feb 2015, 10:38

is this just a mobile related bug, or does this occur via normal webiface usage as well ?
you didn't tell that ^^
User avatar
DoCC
Contributor
Contributor
 
Posts: 210
Joined: 25 Feb 2014, 14:41
Location: UpperBavaria : ))
Has thanked: 41 times
Been thanked: 71 times

Re: Playlist Accessability

Unread postby daneren2005 » 11 Feb 2015, 16:09

It is a bug with the REST API.

Sent from my Nexus 7 using Tapatalk
daneren2005
Developer
Developer
 
Posts: 23
Joined: 03 Jan 2014, 00:20
Has thanked: 2 times
Been thanked: 11 times

Re: Playlist Accessability

Unread postby troycarpenter » 11 Feb 2015, 16:22

Quite right. When using the web interface, the admin use has complete control over everything. However, that doesn't make this a mobile bug by default. It's more likely the bug is in the authentication code on the server used to determine if the admin user has rights to see/use/edit playlists via the REST API.

On the other hand, since most *sonic mobile clients appear to come from the same codebase, perhaps all the mobile clients share the same bug deep down. Whether it's the Madsonic server or the Madsonic mobile client, I guess there needs to be investigation as to which it is.

Here's the steps to reproduce:

1. Regular user #1 creates a private playlist, PL1
2. Admin uses Madsonic mobile client to show playlists on the server. PL1 is in the list.
3. Admin clicks on PL1 to view the tracks. Observe the following error:
"github.madmarty.madsonic.service.parser.SubsonicRESTException: Not authorized. Check user permissions in Madsonic Server"

Expected Result: When the admin user selects PL1, the contents are displayed and can be added to the play queue.

Use case: The admin user's device is used to play music connected to a head-unit in a vehicle. It is decided to listen to a playlist created by someone else in the vehicle. The admin user should be able to select and play the playlist without consideration of the private/public settings of the list. The admin should not need to launch a web browser to change the properties of the playlist while driving down the road.
User avatar
troycarpenter
 
Posts: 120
Joined: 03 Dec 2013, 19:16
Location: Georgia, USA
Has thanked: 19 times
Been thanked: 49 times

Re: Playlist Accessability

Unread postby troycarpenter » 12 Feb 2015, 16:34

Ok, I think I found where this needs to be fixed to allow the admin user to read any playlist. Note that the code below says it's from the 5.1 branch. I don't know if the line numbers match current code.

https://github.com/MadMarty/madsonic-se ... rvice.java

Lines 164 - 172:
Code: Select all
    public boolean isReadAllowed(Playlist playlist, String username) {
        if (username == null) {
            return false;
        }
        if (username.equals(playlist.getUsername()) || playlist.isPublic()) {
            return true;
        }
        return playlistDao.getPlaylistUsers(playlist.getId()).contains(username);
    }
Modify this routine to account for the admin user.

Alternatively, the check can be bypassed altogether at https://github.com/MadMarty/madsonic-se ... oller.java
Lines 713-716:
Code: Select all
      if (!playlistService.isReadAllowed(playlist, username)) {
         error(request, response, ErrorCode.NOT_AUTHORIZED, "Permission denied for playlist " + id);
         return;
      }
In this case, just bypass this check if the user is admin.

To make it so the admin user can edit any list (which according to the code seems to be the desired action), similar changes need to be made to lines 174-176 of PlayListService.java:

Code: Select all
    public boolean isWriteAllowed(Playlist playlist, String username) {
        return username != null && username.equals(playlist.getUsername());
    }
or bypass the check at line 927 in RESTController.java:
Code: Select all
      if (!playlistService.isWriteAllowed(playlist, username)) {
         error(request, response, ErrorCode.NOT_AUTHORIZED, "Permission denied for playlist " + id);
         return;
      }


In both cases, I think the proper place to make the change is in the isReadAllowed and isWriteAllowed functions.
User avatar
troycarpenter
 
Posts: 120
Joined: 03 Dec 2013, 19:16
Location: Georgia, USA
Has thanked: 19 times
Been thanked: 49 times

Re: Playlist Accessability

Unread postby Madevil » 04 May 2015, 23:23

Hi Troycarpenter,

Thank you for this suggestion, i add this request to the next release,
so that admins have full read/write access to all playlists.

best regards
User avatar
Madevil
Administrator
Administrator
 
Posts: 906
Joined: 07 Dec 2012, 03:58
Has thanked: 1320 times
Been thanked: 951 times

Re: Playlist Accessability

Unread postby Madevil » 02 Sep 2015, 00:14

hi again,

This works now like your suggestion. Madsonic 6.0 + Android 5.7

Best regards
User avatar
Madevil
Administrator
Administrator
 
Posts: 906
Joined: 07 Dec 2012, 03:58
Has thanked: 1320 times
Been thanked: 951 times

Re: [Solved] Playlist Accessability

Unread postby troycarpenter » 08 Dec 2015, 20:03

Sorry to take so long to get back on this. I just tested with a normal user's non-shared playlist and the admin user (me!) was able to load and play the list. In the past that gave an error.

Working as planned, now.

Thanks!
User avatar
troycarpenter
 
Posts: 120
Joined: 03 Dec 2013, 19:16
Location: Georgia, USA
Has thanked: 19 times
Been thanked: 49 times


Return to Bug Reports 5.x

Who is online

Users browsing this forum: No registered users and 1 guest