getAlbumList exposes all albums despite user access

Post your Server Bug Report

getAlbumList exposes all albums despite user access

Unread postby video » 07 Nov 2017, 00:44

with rest API:
getAlbumList exposes all albums despite user access

thus a less privileged user can see all the available songs on the server despite only having access to a certain folder.

this can be addressed for client app use by using the getMusicFolders method then calling the getAlbumList with only those folder id's. This, however, shouldn't be necessary. getAlbumList should only return album ids that the user has access to.

Thanks.

MADSONIC 6.2.9080.2a5cd1f.20161222.0530
MADSONIC REST API v2.5.0, SUBSONIC REST API v1.14.0
jetty/8.y.z-SNAPSHOT, java 1.8.0_152, Linux 4.13.9-1-ARCH (amd64) (419.5 MB / 1.41 GB)
Spring.Framework v3.2.17, Spring.Security v3.2.9, HyperSQL DataBase v2.3.4
video
 
Posts: 1
Joined: 07 Nov 2017, 00:20
Has thanked: 0 time
Been thanked: 1 time

Return to Bug Reports 6.x

Who is online

Users browsing this forum: No registered users and 1 guest