[mythtv-users] Restricting functionality thru MythWeb
Michael T. Dean
mtdean at thirdcontact.com
Wed Mar 28 18:24:11 UTC 2007
On 03/28/2007 01:58 PM, Bill White wrote:
> I was looking for a way to restrict functionality to
> non admin users using myth web. Basically removing
> the ability to modify settings,
Protect /settings/* differently and with a different password using
> delete recordings or schedule recordings.
Unfortunately, delete is "in" /tv/recorded (which also shows the
recorded programs) and scheduling is "in" /tv/detail (which also shows
the detailed program info), so if you protect these, you lose the
"Recorded Programs" and "Program Details" screens, respectively. Losing
"Program Details" is probably good--as it further supports the idea of
protecting your schedules.
You might be able to protect deletes with a LocationMatch that looks for
"delete=yes" in a URI that goes to /tv/recorded, but I don't know if
LocationMatch scans parameters, too. Regardless, it doesn't take a very
skilled cracker to realize that sending the parameter in a POST request
would get around the parameter scanning... Therefore, I'm guessing that
LocationMatch ignores GET request parameters. So, you'll likely have to
protect the entire Recorded Programs section.
Note, I haven't done any of this, so there may be other ways "into"
these areas. In other words, you'll still need to do a "security audit"
because I haven't. :)
More information about the mythtv-users