Project

General

Profile

Bug #2941

Users with recording profile can see other profile's recordings in the web interface

Added by Sam Stenvall over 6 years ago. Updated almost 6 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
General
Target version:
-
Start date:
2015-06-12
Due date:
% Done:

0%

Estimated time:
Found in version:
4.0.4-8~g4f9d15f
Affected Versions:

Description

Steps to reproduce:

1. Record something as user "1" using DVR profile "1".
2. Create a new user "2" with DVR profile "2".
3. Log in to the web interface with user "2" and go to the DVR tab.

What happens:

User "2" sees (and can delete) the recording made by user "1", even though "All DVR" is not checked in his access control entry

What should happen:

User "2" shouldn't see the recording at all

History

#1

Updated by Jaroslav Kysela over 6 years ago

Could you check if you don't have "DVR All" in the matched IP ACLs ? Please, provide "--trace access" log . I don't see an error in the access check logic for DVR entries.

#2

Updated by Jaroslav Kysela almost 6 years ago

  • Status changed from New to Fixed

I believe it's fixed. If it isn't - just post a note.

Also available in: Atom PDF