Bug #5150
open
Incorrect UI Level behaviour when using universal '*' user with other users coming from same IP (allowed network)
0%
Description
I came across a bug that took a few hours to figure out, I thought I will share it here in case someone else stumbles upon it. Using version 4.3-1273~g610c6fa74
When using the universal * user, you have to specify a correct IP or IP range (in Allowed networks field) in order for it to work. Let's say you disable Web interface access for this user, or specify 'Basic' Level.
If, in the same time, you have other users/admins with nothing specified in the Allowed network field, and especially if you specify at the global level UI Level = 'Expert', then you will observe a very weird behavior :
- Set global UI Level to Expert
- Login to the web interface with a normal user/admin (important to log in using a username and password)
- You expect to see expert Level everywhere, since it is defined as Global Level (you can even force ui level at user level, the bug will still happen)
- But instead, each time you login, you will have Basic view once logged in, and then won't be able to see some UI sections (tabs) like EPG Modules, Debugging, etc..
- You have the possibility to change the View in each tab through the drop-down, you will see new columns in the tables and the expert settings, but won't be able to see the missing tabs
- If you set Persistence, you WILL lock yourself out of all expert settings, since you won't have the View drop-down anymore
- Deleting the '*' user instantly brings back everything to normal when you log in to the web interface with a normal user/admin
I believe this is because when I created the '*' user, I did set up a unique IP in the Allowed networks like this one : 172.17.0.1/32 and since I am using a Dockerized version of tvheadend, all users have the same IP.
So there must be a problem with tvheadend matching the origin IP of named users and the case of a user that does not have web interface rights, or limited rights to Basic UI Level, like my '*' user.
Workaround is easy but I thought I will post this as a bug anyway, might save a few hours to someone.
Possible workarounds :
- Make sure a limited user can't have same IP than other users when specifying Allowed networks (especially when specifying single IPs with the 32 bits mask)
- Use another port and reverse proxy it to 9981 so your '*' will come from 127.0.0.1, and then communicate that port for the anonymous users instead of 9981
- Play with network settings when using Docker so that each client is correctly identified with his own IP
- ...
I take this opportunity to thank the devs for this nice and versatile piece of software !
Files
Updated by 
Updated by 
Updated by 