getAlbumList exposes all albums despite user access

Post your Server Bug Report
video
Posts: 1
Joined: 07 Nov 2017, 00:20
Has thanked: 0
Been thanked: 1 time

getAlbumList exposes all albums despite user access

Unread post by video »

with rest API:
getAlbumList exposes all albums despite user access

thus a less privileged user can see all the available songs on the server despite only having access to a certain folder.

this can be addressed for client app use by using the getMusicFolders method then calling the getAlbumList with only those folder id's. This, however, shouldn't be necessary. getAlbumList should only return album ids that the user has access to.

Thanks.

MADSONIC 6.2.9080.2a5cd1f.20161222.0530
MADSONIC REST API v2.5.0, SUBSONIC REST API v1.14.0
jetty/8.y.z-SNAPSHOT, java 1.8.0_152, Linux 4.13.9-1-ARCH (amd64) (419.5 MB / 1.41 GB)
Spring.Framework v3.2.17, Spring.Security v3.2.9, HyperSQL DataBase v2.3.4
These users thanked the author video for the post:
Madsonic
Rating: 7.69%
Post Reply