Bug with REST API (Access limits not respected)

Helo

I have just bought the Pro licence for Serviio and downloaded ServiiGo to some of my Android devices

I have 3 shares, only 2 of which are allowed to devices with limited access
I deleted all configured devices and set the default access restriction to limited access

When I browse my shares via any device using DNLA browser software such as MediaHouse, only the two 'Limited Access' shares show up, which is correct. If I run ServiiGo on any of the devices, I am shown all three shares, even though the devices do not have 'Full Access' privilege.

[will]

Hi,

In the current version of Serviio access groups only apply to devices that connect via DLNA. Serviio 1.5 (not out yet) will extend the API so that ServiiGo can work in limted access mode (https://bitbucket.org/xnejp03/serviio/i ... groupid-to). The ServiiGo side is already built into ServiiGo, but it is hidden on < 1.5 severs.

If you request access to Serviio's beta testing group, then you will be able to try it out once the first beta comes out, I would like to get some feedback on how it works.

Will

OK that's good to know, but is the checking done client side then?

ie Does Serviio send all the content and say "by the way this is restricted", or does the client have to get authorization from the server to get access to restricted content?

[will]

OK that's good to know, but is the checking done client side then?

ie Does Serviio send all the content and say "by the way this is restricted", or does the client have to get authorization from the server to get access to restricted content?

When connected to a 1.5 server, ServiiGo will specify the access group that should be used when requesting content. The access group that ServiiGo sends is setup based on the assumption that users who should only get limited access do not know the remote access password. So when adding a server via automatic setup, the default acccess group set in the console is assigned. So if you set the default to Limited access, ServiiGo will automatically set it self up in Limited access mode. The access group can then be changed in ServiiGo once setup, but it will require the user to re-enter the server password. If you setup a server manually, then you need to know the password so get to choose the access group.

Edit: Looks like didn't finished implementing this actually, will release a new beta soon with it.

OK good. so it's not theoretically possible for somebody to write a client using the REST api that bypasses security (providing the server is on v1.5+)?

[will]

OK good. so it's not theoretically possible for somebody to write a client using the REST api that bypasses security (providing the server is on v1.5+)?

Its not possible to bypass the remote acccess password (unless you use the new option in 1.5 to not need a password), but it is possible to write a client that does not handle access groups (such as MediaBrowser). This is because once devices connect from outsite of your network, its not really fesiable to use the IP address to assign a group, so it has to be done based on the clients request. My initial and complete proposal invloves having multiple users/passwords each with their own access group, but its a lot more work than the client picking an access group and restricting the chosen access group in some way. Having said that I belive that the implementation in 1.5/ServiiGo should cover most cases as long as you do not give out the password to uses (i.e. kids) who should have limited access.