Page 1 of 1

[Solved] Playlist Accessability

Posted: 10 Feb 2015, 19:25
by troycarpenter
First, let me define some terms because I started to confuse myself while writing this in another forum. For playlists, I'm using three specific terms: See=A playlist visible in the playlist list. Use=Able to view and play the songs on the list. Edit=Change any properties of the list (name and public/private) implies they can use it as well.

Using MADSONIC 5.2.5420.20141215.0303 with Madsonic and dSub clients. Issue happens with both clients.

For non-administrators, playlists seem to be working as expected. Using Dsub as a client, a non-admin user can see and edit their own playlists. They can also see and use public lists (not edit). A non-admin user cannot see other users' private lists.

As an admin user, in Dsub I can see every playlist, public or private from any user. I am presented all the options for all those lists (play the playlist, or even edit the properties). However, if I try to use or edit any private list, I get an authorization error. With Madsonic client I've not figured out how to edit a playlist, but I certainly can't use any private list even though I can see them.

I would like for an admin level user at a minimum to be able to use a private list from another user, especially since the admin user can see the list. An add on would be to let the admin user change the public/private flag and possibly delete the list. Best case would be complete control just like is available through the web interface.

Right now it seems like a bug to give the admin user the ability to see all the lists, but not be able to even use one of them. Access to use the lists and at least edit the public/private flag would help me in my multi-user family where everyone has their own accounts and often forget to create playlists with the public flag set. I would then be able to load their lists on my phone while traveling, or let them share lists with each other when they forget to set the public flag.

Re: Playlist Accessability

Posted: 10 Feb 2015, 20:35
by DoCC
ehm are you talking about using some wierd mobile clients ?
for administration purposes always use the normal webinterface.

Re: Playlist Accessability

Posted: 10 Feb 2015, 20:46
by troycarpenter
The Madsonic Android client is a "weird mobile client"? I can duplicate the bug with it as well. I was providing evidence that it's not a client issue because it happens in two separate *sonic clients.

In Madsonic Android client, as an admin user, I can see every playlist on the system, but I get an authorization error if I try to use any one that is marked private.

Either one of two things needs to change...either the admin user can't see every playlist (then the bug is that the admin user can see lists that should not be visible), or give the admin user access to every list (in which case the bug is that the admin user isn't properly authorized to use the lists). I would think everyone would prefer the later solution, and that's probably what is intended since the admin user can see the lists.

Whichever direction it goes, there is still a bug on the server.

Re: Playlist Accessability

Posted: 11 Feb 2015, 10:38
by DoCC
is this just a mobile related bug, or does this occur via normal webiface usage as well ?
you didn't tell that ^^

Re: Playlist Accessability

Posted: 11 Feb 2015, 16:09
by daneren2005
It is a bug with the REST API.

Sent from my Nexus 7 using Tapatalk

Re: Playlist Accessability

Posted: 11 Feb 2015, 16:22
by troycarpenter
Quite right. When using the web interface, the admin use has complete control over everything. However, that doesn't make this a mobile bug by default. It's more likely the bug is in the authentication code on the server used to determine if the admin user has rights to see/use/edit playlists via the REST API.

On the other hand, since most *sonic mobile clients appear to come from the same codebase, perhaps all the mobile clients share the same bug deep down. Whether it's the Madsonic server or the Madsonic mobile client, I guess there needs to be investigation as to which it is.

Here's the steps to reproduce:

1. Regular user #1 creates a private playlist, PL1
2. Admin uses Madsonic mobile client to show playlists on the server. PL1 is in the list.
3. Admin clicks on PL1 to view the tracks. Observe the following error:
"github.madmarty.madsonic.service.parser.SubsonicRESTException: Not authorized. Check user permissions in Madsonic Server"

Expected Result: When the admin user selects PL1, the contents are displayed and can be added to the play queue.

Use case: The admin user's device is used to play music connected to a head-unit in a vehicle. It is decided to listen to a playlist created by someone else in the vehicle. The admin user should be able to select and play the playlist without consideration of the private/public settings of the list. The admin should not need to launch a web browser to change the properties of the playlist while driving down the road.

Re: Playlist Accessability

Posted: 12 Feb 2015, 16:34
by troycarpenter
Ok, I think I found where this needs to be fixed to allow the admin user to read any playlist. Note that the code below says it's from the 5.1 branch. I don't know if the line numbers match current code.

https://github.com/MadMarty/madsonic-se ... rvice.java

Lines 164 - 172:

Code: Select all

    public boolean isReadAllowed(Playlist playlist, String username) {
        if (username == null) {
            return false;
        }
        if (username.equals(playlist.getUsername()) || playlist.isPublic()) {
            return true;
        }
        return playlistDao.getPlaylistUsers(playlist.getId()).contains(username);
    }
Modify this routine to account for the admin user.

Alternatively, the check can be bypassed altogether at https://github.com/MadMarty/madsonic-se ... oller.java
Lines 713-716:

Code: Select all

		if (!playlistService.isReadAllowed(playlist, username)) {
			error(request, response, ErrorCode.NOT_AUTHORIZED, "Permission denied for playlist " + id);
			return;
		}
In this case, just bypass this check if the user is admin.

To make it so the admin user can edit any list (which according to the code seems to be the desired action), similar changes need to be made to lines 174-176 of PlayListService.java:

Code: Select all

    public boolean isWriteAllowed(Playlist playlist, String username) {
        return username != null && username.equals(playlist.getUsername());
    }
or bypass the check at line 927 in RESTController.java:

Code: Select all

		if (!playlistService.isWriteAllowed(playlist, username)) {
			error(request, response, ErrorCode.NOT_AUTHORIZED, "Permission denied for playlist " + id);
			return;
		}
In both cases, I think the proper place to make the change is in the isReadAllowed and isWriteAllowed functions.

Re: Playlist Accessability

Posted: 04 May 2015, 23:23
by Madsonic
Hi Troycarpenter,

Thank you for this suggestion, i add this request to the next release,
so that admins have full read/write access to all playlists.

best regards

Re: Playlist Accessability

Posted: 02 Sep 2015, 00:14
by Madsonic
hi again,

This works now like your suggestion. Madsonic 6.0 + Android 5.7

Best regards

Re: [Solved] Playlist Accessability

Posted: 08 Dec 2015, 20:03
by troycarpenter
Sorry to take so long to get back on this. I just tested with a normal user's non-shared playlist and the admin user (me!) was able to load and play the list. In the past that gave an error.

Working as planned, now.

Thanks!