I’m wondering if there is a reason why account authentication and ratings restrictions are not applied when browsing Plex from my local network?
Earlier today I was accessing my local Plex server via the local IP in my browser, trying to customize the homepage a bit for my kids’ account. I was switching between accounts to take a look, thought I finally had it set how I wanted, then clicked the “More” button in the menu and noticed that all of my libraries were appearing and not just the two that my kids should have access to. I verified that I was definitely browsing on my Kids’ account which is set to “older kid”, and verified that the account should only have access to 2 libraries. None of that mattered though and I was able to view one of my other libraries, pin it, and start an R rated movie all from my Kids’ managed user account.
After that I switched between accounts a few more times and was having trouble re-producing it, but stumbled across something a bit worse. I opened a new private browser window, loaded Plex from my local IP, and was greeted by the new “Customize your Media” screen. I click “Finish Setup” and I’m taken straight to all of my libraries without even having to login. My account requires a PIN so most of these libraries should not be accessible without authenticating first.
So, what do I need to do to make sure that the account restrictions are actually applied with Plex and not so easily bypassed?
I thought that was required in order to access Plex without internet?
That also shouldn’t allow a managed kids account to access, pin, and play content from libraries which they do not have permission to view, all while logged into their account. Or if that is the case then there should be a warning that if you want to access your server without internet access then you’re giving up any and all parental controls…
Oof… Now I see that if “List of IP addresses and networks that are allowed without auth” is set then it’s giving full access to the Plex server, including the ability to delete files, change all settings, and etc without any kind of authentication.
Is there no way to allow Plex to be accessed without the internet, without opening up this security risk?
Thanks. Guess that’s what I get for not checking the official docs on the setting. I’ve seen others recommending it at least a dozen times in the past, but I don’t think I’ve ever seen anyone mention the associated security risks. I figured it would at least still require a local user to login since that still seems to be the case with apps.
It’s impossible to “login” locally without internet. All authentication for who can access your server is handled 100% by the Plex servers. If you do not want authentication, then the server cannot handle authentication, or (apparently) account/library restrictions, since all that info is read at login time from the account settings.
Ouch on that. I’d hoped that the server could at least maintain a list of the managed users of its own account, and would still restrict their library visibility locally.
