I hope I’m in the right forum and I describe my problem.
A friend of mine and I have a plex server. We both share between us our mediathek. As I recognized yesterday, his profile appeares as selection on my apple tv, so that I can watch movies etc. with his user account.
If I use the webbrowser, I can also access with his profile the movies, etc. Further I can grant access to further users to his account, can share mediathek to others, can kick his friends from his mediathek and also can access this forum with his user account.
Same issue here, if you add a a “home user”, they can do anything, “friends” cannot.
I have a “friend” that I wanted to give Live TV access to, not possible through Friends page, but is possible as a home user. Which they can then abuse.
Don’t invite friends into your Plex Home. This is for close family members only, because it activates ‘Fast User Switching’.
The only protection within a Plex Home is a 4-digit PIN number.
I invited them as plex friends. That is the point. Yesterday I invited a new friend. He had a newley created plex.tv account. He was in my LAN has he logged into plex.tv and after that, he was also member of “My Plex Home” but I never added him.
This has been verified with logs now.
The request was made to add this account into your Plex Home, and not just as a friend.
So there is no security gap.
