Few days ago I have removed remote Rasplex 1.4.xx running on RPi2 from devices.
Today one of my managed users in remote destination using that exact Rasplex was able to access my server and play whole movie. :-/ How is it possible that removed device is still able to access my server? I see history from PlexPy and I’m lost.
In between device removal and today’s playback I have upgraded PMS and even restarted host. Thoughts?
Ok there is bug and in certain condition users will still have access to server unless you change password or logout on all devices.
I’ve installed latest OpenPHT on VM running macOS. I’ve linked app to my acc and by default I log as Plex Home admin.
New device is shown in settings->devices all good. I can switch to any user and play anything.
Now I’ve removed this client from devices, restarted OpenPHT and still can log any managed user and play anything I want (managed users have PINs)
Once I log with admin user, device will reappear in settings->devices. Now while still being logged as admin, I’ve removed again this client from devices and then chosen “change user” after that I’m getting message that my credentials are expired.
So in scenario when only managed users are using OpenPHT/Rasplex removing is obsolete and logging as admin adds client without any authentication required.
@NedtheNerd @elan @BigWheel FYI I haven’t tested original PHT yet.
i don’t personally have a OpenPHT or Rasplex installed but what you describe is concerning.
does this also happen with PMP?
So in scenario when only managed users are using OpenPHT/Rasplex removing is obsolete and logging as admin adds client without any authentication required.
how are you logging in with admin user? do you mean selecting them with user picker? does the admin also have a PIN?
I was under the impression that the device list was just a log of which devices have logged in. Removing devices should not remove accounts and, from what you are saying, it doesn’t. I think what you should be doing is removing accounts.
Of course, I could be wrong. I believe I was wrong once but could be wrong.
@BigWheel I’ve tested PMP there is exactly the same behaviour with PMP.
Steps to reproduce.
Sign in using PIN.
Landing on user picker menu, choose any user play anything. Works.
Exit app, remove client from devices. Restart app. Land on user picker menu, choose any user but admin. Play anything, works (it shouldn’t!)
Switch user to admin, provide pin, logged, client get’s added again to devices just like that. While logged in delete client from devices, switch user in PMP “Please Sign In Again”. At this point you can’t use this client anymore unless you sign in again.
My list of List of networks that are allowed without auth ist 127.0.0.1/255.255.255.255
That’s an awful lot of 'sing’ing :))
O lol, using iPad, auto correct is ■■■■■ 
@BigWheel guess what, iOS does exactly the same. Is it safe at this point to say there is something wrong? I’m 100% positive in older iterations of PMS once client was removed from devices you had to SIGN IN (thanks @NedtheNerd 
)
again.
Tested Windows Phone today. After removing client from devices and restarting app you need to sign in again. So this one is working properly.
@BigWheel were you able to reproduce this?
@Bartlomiej Baraniec said:
@BigWheel were you able to reproduce this?
edit - scratch what i said before.
if you remove the device from the admin account only the managed user still has a valid token on their account. what happens if you remove the device when signed in as the managed user in Plex web and remove the device from their account.
I will test it later today but after removing device from admin account I’m still able to sign in as admin and device will be re-added. To be honest I had no idea that managed users have devices tab as well makes no sense does it? When admin removes device from Plex Home it shouldn’t be visible/accessible to anyone else.
your not removing a device from Plex Home. You are removing it from the account you are signed into. I mean if you shared with me ( even if you put me in your home ) i have plenty of devices you would not know anything about.
Well in that case yes, because I would invite a proper Plex account. I don’t care about your devices and I should have no control over them.
With managed users I have only 1 proper account which is required for initial sign in on each device.
What if you have 10 managed users using remote Rasplex. I need to switch 10 times and remove that client from each user.
Besides look how windows app is working.
