[mythtv-users] Restricting functionality thru MythWeb

Michael T. Dean mtdean at thirdcontact.com
Wed Mar 28 18:24:11 UTC 2007


On 03/28/2007 01:58 PM, Bill White wrote:
> I was looking for a way to restrict functionality to
> non admin users using myth web.  Basically removing
> the ability to modify settings,

Protect /settings/* differently and with a different password using 
Apache's configuration...

>  delete recordings or schedule recordings.

Unfortunately, delete is "in" /tv/recorded (which also shows the 
recorded programs) and scheduling is "in" /tv/detail (which also shows 
the detailed program info), so if you protect these, you lose the 
"Recorded Programs" and "Program Details" screens, respectively.  Losing 
"Program Details" is probably good--as it further supports the idea of 
protecting your schedules.

You might be able to protect deletes with a LocationMatch that looks for 
"delete=yes" in a URI that goes to /tv/recorded, but I don't know if 
LocationMatch scans parameters, too.  Regardless, it doesn't take a very 
skilled cracker to realize that sending the parameter in a POST request 
would get around the parameter scanning...  Therefore, I'm guessing that 
LocationMatch ignores GET request parameters.  So, you'll likely have to 
protect the entire Recorded Programs section.

Note, I haven't done any of this, so there may be other ways "into" 
these areas.  In other words, you'll still need to do a "security audit" 
because I haven't.  :)

Mike


More information about the mythtv-users mailing list