Page 1 of 1

getAlbumList exposes all albums despite user access

Unread postPosted: 07 Nov 2017, 00:44
by video
with rest API:
getAlbumList exposes all albums despite user access

thus a less privileged user can see all the available songs on the server despite only having access to a certain folder.

this can be addressed for client app use by using the getMusicFolders method then calling the getAlbumList with only those folder id's. This, however, shouldn't be necessary. getAlbumList should only return album ids that the user has access to.

Thanks.

MADSONIC 6.2.9080.2a5cd1f.20161222.0530
MADSONIC REST API v2.5.0, SUBSONIC REST API v1.14.0
jetty/8.y.z-SNAPSHOT, java 1.8.0_152, Linux 4.13.9-1-ARCH (amd64) (419.5 MB / 1.41 GB)
Spring.Framework v3.2.17, Spring.Security v3.2.9, HyperSQL DataBase v2.3.4