This is a serious hole in parental/managed user control in the currently released version of Plex on the Play Store.
Plex/Shield is populating the Now Playing with content that is otherwise protected/hidden, even when the user to which that content belongs is no longer active in Plex.
PLATFORM:
Android TV, NVIDIA Shield Experience 6.2 update
ISSUE:
Now Playing can show video content from a library that is hidden from the dashboard and enabled only for the admin user behind a passcode, even when a different managed user is active.
STEPS:
Set up at least one managed user in addition to the main admin user
Set up a library only for the admin user with at least one video
Disable the dashboard for that library
Set a passcode for the admin user
On the Shield, start Plex, select the admin user and enter the passcode
Go to the above Library and play a video from it (note that nothing from this library appears in the dashboard)
Exit to the LeanBack launcher, optionally first pausing the video - directly with the home button or repeatedly pressing back button
Now Playing (the first and left-most tile in the recommendations row) shows a paused still frame from the video
Enter Plex again and select a managed user (who doesn’t have access to the library or video referenced above)
Exit back to Leanback Launcher and see that the original video is still displayed in Now Playing
RESULTS:
Undesired content is presented in the top level Leanback Launcher that is accessible to anyone, thereby circumventing the parental or managed user content controls put in place within Plex.
Only a screen capture is displayed on the Now Playing Tile, the video cannot be played by selecting the tile when a different user is active in Plex. It produces a non-specific error when the Plex UI starts up.
While this tile for non-accessible video is displayed, opening Plex for the first time with a managed user may present a completely empty Dashboard with only the libraries listed at the top and plugin channels listed below.
BUILD AFFECTED:
6.11.2.3107
REGRESSION:
Haven’t tested other builds
EXPECTED BEHAVIOR:
-
Videos from Libraries that do not appear in dashboard should likewise never appear on the Now Playing of the Leanback Launcher
-
Videos from libraries that are unavailable to the managed user currently active in Plex should never appear in Now Playing of the Leanback Launcher
3. Videos in a library that only exists for a user protected by PIN/password should not appear in Now Playing when that user is no longer active in Plex (at a time where Plex would ask for user when started)
-
Videos of a content rating outside the scope of the ratings allowed for a specific managed user should not appear in Now Playing when that user is active in Plex.
-
Entering Plex with a managed user after having played unaccessible video with a different user shouldn’t have any effect on the displayed content or UI.