[mythtv-users] Mythweb security

Bill Chmura Bill at Explosivo.com
Wed Oct 27 21:43:41 UTC 2004

Hey Chris,

On Wednesday 27 October 2004 04:33 pm, Chris Petersen wrote:
> > If I had to do it, I would still use the apache login, but then check the
> > user inside mythweb.
> That's the long-term plan.  php's support for htauth isn't so hot (and
> it's not just apache -- htauth is built into the http specs), or rather,
> htauth isn't complex enough to bother putting effort into php when
> apache manages it so easily.

Since we are not really adding super security onto it, I was thinking of just 
checking the environment variable for the username.  If I recall that was the 
easiest way.

> Can then let access groups be defined in mythweb (either online or in a
> config file), to control who can see which sections of mythweb.
> > I'd be willing to code it in, but I would want the maintainer to agree
> > that it is good and would be included.
> I'd accept a patch if:
> 1. access groups can be disabled, and are disabled my default.

I'd say groups would be overkill.  Figure a Mythbox could have like an average 
of three users, maybe a total of 6 in a big family.  Breaking groups to 
contain users would be just wasted I would think.  Assigning rights to each 
person should be okay.  Basically something like:

Note that [ ] below signifies checkboxes and is just an example, I have not 
put any thought into what they would actually be.

username        [admin]  [can set recordings]  [can del recordings]  [can view 
schedule]  [max priority]  [etc]

> 2. open discussion comes to a consensus about which areas of mythweb
>     need to be restricted.
> Of course, all of this user-priority/override stuff would require mythtv
> support, and goes beyond mythweb.  I'm only thinking about stuff like
> locking out the ability to delete recordings, change channel settings, etc.

I'd say just enforcing a max priority setting would be good - even if it did 
not get enforced my Mythtv.  I can whack my GF with a rolled up newspaper 
when she overrides something in front of me, but when she goes home and 
sneaks in with a web browser its a different story :)

I can come up with a better plan and submit it to the list for the open 
discussion and we can evaluate there if it has any merit.


> -Chris
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users


Bill Chmura
Director of Internet Technology
Explosivo ITG
Wolcott, CT

p: 888.560.YWEB (9932)
e: bill at Explosivo.com
w. http://www.explosivo.com

More information about the mythtv-users mailing list