Since the Plex Media Server must be available on the LAN for clients ranging from dedicated Mac Mini (TV set-top-box) to tablets and cellphone, it seems impossible to deny casual visitors access to the admin interface. There should be a way to only allow access to settings and library edits ideally to certain users, but to begin with at least password protect these sections with username and password.
As it is today, visitors and the kids can easily both delete entire library sections, reconfigure the server settings or add various metadata.
Are you talking Plex/Web? And are you referring to guests using your PCs/MACs/etc to get to that admin interface or their own brought along device?
I'm talking the administrative interface on http://1.2.3.4:32400/manage
Anyone with basic knowledge of Plex can go to that address and I'd like it to be a bit more protected.
This is true of allthings. I think for plex/web it’d be nice if it required myPlex login to even access anything.
Good call, perhaps combined with an admin username/password as backup if internet access to myPlex for any reason is unavailable.
I too would like something like this. Maybe two levels of access 1) can view and play anything, delete stuff if delete on remote devices is enabled, but not modify anything, and 2) full administrator.
Then I'd certainly go for three levels, as I wouldn't want anyone who walks by the TV set to be able to delete stuff. Modifying the settings results in a minor hassle in restoring them. Deleting would mean they could wipe the entire library we spent ages ripping and indexing and that would be a disaster.
Thus, if doing it that way, why not go all the way with security levels so that users can have a different security level and certain tasks can be assigned minimum levels. Or to simplify, at least make delete stuff the highest level.
I'd like to be able to delete stuff myself as an admin, but I wouldn't want anyone else near that feature. Which is why I'm the only one with admin rights on the NAS as well...
Any of the developers care to comment on how much work it would take just for a rudimentary username/password protection on the settings?
another possible concern, if our Plex Servers are linked via MyPlex and the plexapp.com site gets compromised and the password database stolen, a person with that password database could remote delete many libraries. likewise if an authenticated device got stolen, it would have the ability to remote delete.
i would vote for the ability to only allow client delete if said client is on the same local network as the server - ie the have physical access to the premises
early 2021 clean-up: implemented (linking server to Plex account, Home Users, restrictions for managed users etc.)
