Regular user can view non-authorized content

Post your Server Bug Report
User avatar
troycarpenter
Posts: 138
Joined: 03 Dec 2013, 19:16
Has thanked: 28 times
Been thanked: 50 times

Regular user can view non-authorized content

Unread post by troycarpenter »

MADSONIC 6.2.9260.8df1ddd.20170215.1037

I have a folder called "NEW" to which only the admin user has access. I have a normal user who is not supposed to see content in the NEW directory. However, when using a mobile app with the REST API, that user can get a genre list that not only shows the genres of content in the NEW directory, but also shows the content when that genre is selected. The content appears in the play queue and the mobile app displayed the album art. It appears that the content cannot actually be downloaded and played, but the fact that the content appears in the user's mobile app is needs to be fixed, especially if album art would be considered inappropriate for younger users.

In an ideal world, I would expect that not only would the content not appear when selecting the genre, but that the genre itself should not be in the list, and if the genre exists in folders the user does have access to that the counts be adjusted. I also noticed that the "Recently Added" count in the mobile app included the forbidden content, but the content did NOT show up in the content list. I would not expect the "Recently Added" count to reflect content from forbidden folders either.

Note that in the web GUI, I was able to see the genre in the "Genre Radio" screen, but selecting that genre did not reveal any content. But even here the genre should not be displayed if in a folder to which the user does not have access.
Post Reply