Better default access control

The current access control mechanism suffers from the following drawback:

1) Suppose that the kids have a renderer whose IP address is 192.168.1.54 and that dad has set its group membership to "Limited Access"
2) Dad has also set "Limited Access" to all the kid's cartoons folders, but dad has thoughtfully left his porn folder set to the default "No Restriction".
3) Kids cannot access dad's porn because their renderer is set to "Limited Access" and dad's porn does not have the "Limited Access" group. So far, so good, right?
4) One day, the DHCP lease on the kids renderer expires and it gets assigned a different IP address, say 192.168.1.55.
5) Serviio sets "No Restriction" for this renderer by default.
6) Wham! Kids start watching dad's porn. Now that's entertainment

This problem can be easily fixed by allowing dad to remove the "No Restriction" group from his porn. Here is how it would work:
1) Kid's renderer 192.168.1.54 is assigned the default "No Restriction"
2) Dad sets "No Restriction" on all cartoon folders. Dad removes "No Restriction" from his porn but adds "Limited Access".
3) Dad sets his renderer to "Limited Access" so he can watch his porn.
4) Kids cannot watch porn because their renderer is set to the default "No Restriction"
5) One day, the DHCP lease on the kids renderer expires and it gets assigned a different IP address, say 192.168.1.55. But that's OK because Serviio assigns it "No restriction", so no elevation of privilege occurs.

Please add this feature. Specifically, allow dad to remove the "No Retriction" group from folders. That's all.

BTW, here is a different group naming scheme that fits better with this approach:
- Rename "No Restriction" to "General Audience" or "All Viewers".
- Rename "Limited Access" to "Mature Audience" or "Limited Audience" or "Select Audience".

[zip]

I might just add a setting to assign a selected group (In your case Limited Access) to any new renderer. That would work too, right?

Yes, that would work. I'm just worried that it would mess up the "work out of the box" behavior. Specifically, all new content gets assigned "No Restriction" while all new renderers get assigned "Limited Access". This means that new renderers won't be able to view new content unless dad also assigns "Limited Access" to the new content.

Does the approach that I suggested seem complicated? (It doesn't to someone like myself sitting in the peanut gallery.) At the very least, it would not mess anything up. If it seems hard to do in reality, may I help? I have a significant background in security systems, specifically in access control mechanisms, and 20+ experience as a software engineer.

[Ryster]

But it would work out of the box virgilm, because out of the box none of your media folders would be set to "limited access". They would go into no restriction by default.

Though I agree it would be nice to beef up the permissions system a bit, similar to the way folder permissions are done in Windows. You should be able define one or more groups (eg. kids, movies, tc, porn, etc), then assign individual renders to one or more of those groups. By default out of the box, new renderers would get added to the default group. Also by default, all new folders added would have permissions set to allow only that default group to have access. That way, out of the box, all renderers have access to all folders.

But using this setup you could simply take default group off of a media folder, and assign one or more other groups. so for a folder full of kids content, you would take default off and add the kids group. for tv shows, you'd add the tv group, for movies you add the movies group, and lastly for porn (who risks putting porn on their lan anyway? hehe) you'd assign the porn group. That way, only renderers in each of those groups could see the content in those folders, and most importantly any new renderer that appears on the network would only be able to see content folders with the default group assigned to them.

This seems fairly simple to me, at least in my experience of coding database driven websites and would provide a powerful permissions structure to the software for advanced users, while keeping the out of box simplicity that Serviio is known for.

I'm going to second this request.

If we could have a default access category setting, that would be fantastic.

I'm thinking it might also be nice to have more access groups. You could create any number of groups, and have folders shared to specific groups, and devices have access to specific groups. Example:

#1
Maybe player X wants to access folder Y:
X's Group access:
1, 3, 4
Y's Selected Groups to share to:
1, 2
Now X can access Y.

#2
X's Group access:
1, 3, 4
Y's Selected Groups to share to:
2, 5

X cannot access Y.

This would help with sharing a couple home videos with your friends, for example, without sharing the whole shibang. Maybe wife could access everything, Kids could access cartoons, coworkers could access project videos, friends could access shows, etc.

[zip]

Created a ticket: https://bitbucket.org/xnejp03/serviio/i ... ctionality

I love serviio, but this is my one issue as well. In fact, I bought Pro a couple days ago just for the feature of access control...and also found that it really isn't as controlling as I would like it to be.

Let's hope 1.02 is more robust there

<Bump>

I also just bought Pro for this very feature, but would like to see the default access set to limited access versus no restriction. Many BOYD pop-up on the network and well....

Great program though, keep up the great work!

Cheers,
Rick

Yeah Zip, hopefully this not posted else where, after searching and looking I not see this.

So I live in a new apartment complex that is networked so the whole entire complex is on the same network.

I would like to have the access group be totally costume like "Paul's access group" so I can make my devices only ( oh and the media browser with password of course) be able to access my content, and nobody else on the network be able to.

Like make the default no access (limited)

Right now I am still on the trial time, so is this possible to do?

I did notice that some have the red (button?)icon next to their deice, as a few have the green icon.

So my goal is so I can watch my movies on my own devices, or if on vacation I can watch them through pass worded media browser.

Thank you.

[zip]

Not doable by default currently. You can disable access to any device from the list by right-clicking on it.

Not doable by default currently. You can disable access to any device from the list by right-clicking on it.

okay so if a new device pops in the network ( say somebody in the complex plugs in a new PS3) then their default would have access??

sorry still new so trying to wrap my head around this and understand it.

[zip]

yes. There is an open ticket to configure this behaviour.

You could also control this on the firewall level - enable access to port 8895 only to your devices.

yes. There is an open ticket to configure this behavior.

You could also control this on the firewall level - enable access to port 8895 only to your devices.

Yeah in the apartment complex here we literally just plug into the wall. I am having the same problem getting port 23424 forwarded also because of this.

So sounds like i may need to find my Netgear router in one of my stored boxed and use it... humm.

I'd also love this feature as descibed at beggining of post (or similar). Right now all new devices have access to limited folders which is no-go.
For me limiting access was reason to buy PRO but haeving to watch it manually is significant problem.

+1 for the feature. I will purchase the pro version immediately after this is added.

For such a great software, I was incredibly surprised that the current access management has such a major flaw in it. Usually when dealing with access control I simply create a rel data set where a user (or device) belongs to a group (or several) and each file (or accessible item) is allowed by one or more groups. It is a tad harder to code, but enables the most flexibility.

[Ryster]

I'd also love this feature as descibed at beggining of post (or similar). Right now all new devices have access to limited folders which is no-go.
For me limiting access was reason to buy PRO but haeving to watch it manually is significant problem.

You risk plugging your devices directly into an essentially "open" and "untrusted" LAN? Pretty risk if you ask me, especially if you have no control over what other devices are on that LAN. Get yourself a router and plug all your devices into it, and then plug that router into the wall socket with NAT and firewall enabled.

Also Zip, any progress on this yet please?

[zip]

Not yet, the ticket is here: https://bitbucket.org/xnejp03/serviio/i ... ctionality

I'm focussing on subtitles support for the next release, so hopefully the one after that.

I would also love to see more functionality for access groups as TheRetroSpectrum described above.

Could you add a way to set access groups for the mediabrowser too? I haven't been able to find a way to do so if that has already been implemented.

I obviously don't expect a per-device option for mediabrowser, but i'd like to be able to share only the pg13 stuff for remote viewing. At the moment I have to either sanitize what is shared, or turn off the mediabrowser.