[mythtv-users] Restricting functionality thru MythWeb
raygions at yahoo.com
Wed Mar 28 21:15:07 UTC 2007
--- "Michael T. Dean" <mtdean at thirdcontact.com> wrote:
> On 03/28/2007 01:58 PM, Bill White wrote:
> > I was looking for a way to restrict functionality
> > non admin users using myth web. Basically
> > the ability to modify settings,
> Protect /settings/* differently and with a different
> password using
> Apache's configuration...
> > delete recordings or schedule recordings.
> Unfortunately, delete is "in" /tv/recorded (which
> also shows the
> recorded programs) and scheduling is "in" /tv/detail
> (which also shows
> the detailed program info), so if you protect these,
> you lose the
> "Recorded Programs" and "Program Details" screens,
> respectively. Losing
> "Program Details" is probably good--as it further
> supports the idea of
> protecting your schedules.
> You might be able to protect deletes with a
> LocationMatch that looks for
> "delete=yes" in a URI that goes to /tv/recorded, but
> I don't know if
> LocationMatch scans parameters, too. Regardless, it
> doesn't take a very
> skilled cracker to realize that sending the
> parameter in a POST request
> would get around the parameter scanning...
> Therefore, I'm guessing that
> LocationMatch ignores GET request parameters. So,
> you'll likely have to
> protect the entire Recorded Programs section.
> Note, I haven't done any of this, so there may be
> other ways "into"
> these areas. In other words, you'll still need to
> do a "security audit"
> because I haven't. :)
> mythtv-users mailing list
> mythtv-users at mythtv.org
Ok. I figured I would ask...just in case
Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.
More information about the mythtv-users