[mythtv-users] Restricting functionality thru MythWeb

Bill White raygions at yahoo.com
Wed Mar 28 21:15:07 UTC 2007

--- "Michael T. Dean" <mtdean at thirdcontact.com> wrote:

> On 03/28/2007 01:58 PM, Bill White wrote:
> > I was looking for a way to restrict functionality
> to
> > non admin users using myth web.  Basically
> removing
> > the ability to modify settings,
> Protect /settings/* differently and with a different
> password using 
> Apache's configuration...
> >  delete recordings or schedule recordings.
> Unfortunately, delete is "in" /tv/recorded (which
> also shows the 
> recorded programs) and scheduling is "in" /tv/detail
> (which also shows 
> the detailed program info), so if you protect these,
> you lose the 
> "Recorded Programs" and "Program Details" screens,
> respectively.  Losing 
> "Program Details" is probably good--as it further
> supports the idea of 
> protecting your schedules.
> You might be able to protect deletes with a
> LocationMatch that looks for 
> "delete=yes" in a URI that goes to /tv/recorded, but
> I don't know if 
> LocationMatch scans parameters, too.  Regardless, it
> doesn't take a very 
> skilled cracker to realize that sending the
> parameter in a POST request 
> would get around the parameter scanning... 
> Therefore, I'm guessing that 
> LocationMatch ignores GET request parameters.  So,
> you'll likely have to 
> protect the entire Recorded Programs section.
> Note, I haven't done any of this, so there may be
> other ways "into" 
> these areas.  In other words, you'll still need to
> do a "security audit" 
> because I haven't.  :)
> Mike
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
Ok.  I figured I would ask...just in case

Never miss an email again!
Yahoo! Toolbar alerts you the instant new Mail arrives.

More information about the mythtv-users mailing list