Server Version#:1.23.2.4656
Player Version#:irrevelant
I have about two dozen people I share my library with. Every single one of them has Allow Downloads disabled, yet people can still download files.
How do I stop this on my end so I don’t have to figure out who is downloading things? It doesn’t say who the downloader is, only the file that’s being downloaded.
If people are able to download from your server, then they are not doing officially. They may be using some other tool or hack to do so. Do these show up in the play history as having played really fast? If not, you might need to go looking in the logs. There’s no way to really stop them. I would suggest trying to find out who it is and warn them to stop.
I found who it was and let them know what was going on. Of course they were mortified it was causing any issues. It’s a Javascript add-on called PlxDwnld that’s able to bypass my remote download settings. The odd thing is that they’ve used it in the past and it never appeared on my end to say Downloading like it does now. The problem is that if they queue up multiple files, it will download them all at the same time. When you do a remote conversion download it does them one at a time. I’m gathering it’s some kind of bandwidth issue that’s causing my internet to clog.
It’s possible there was a change in PMS or Web. Some activities were not shown before.
If your original files are quite large, them trying to download these could clog your internet.
Is there a way for you guys to block this extension or at least make it abide by the Plex settings? It wouldn’t be so horrible if it downloaded one file at a time. The last two files attempting to be downloaded were 19 GB and 24 GB. Pretty big.
Don’t share with people that repeatedly violate your boundaries.
Streaming is fundamentally the same as downloading. It’s not possible to prevent downloading from a streaming service.
Problem isn’t the people, problem is people not being aware there’s a problem. I’ve sent out a blanket email to everyone, but that doesn’t stop the absent minded when the download option is available. Giving friends the benefit of the doubt, sometimes they don’t equate two similar things. Me, as admin, not being able to identify which person is downloading is a minor problem. I can do my best to police it, but the bigger point is I shouldn’t have to. This extension is using a hack or exploit or glitch which shouldn’t be possible in the first place. That’s a major problem.
I understand your frustration.
There’s no hack or exploit or glitch involved. To play back a video it must be transferred. There’s no mechanism that would completely prevent this without also breaking Plex.
It would be ideal if Plex enforced bandwidth limits differently, but that’s not how the system currently works. IMO that would be the best Plex improvement here - along with better dashboard/history reporting.
There are some clever ways you could block this with a reverse proxy, but that adds complexity.
That’s not what’s happening. The extension, PlxDwnld, is bypassing my restrictions to allow direct downloads of files. It’s not streaming, it’s not being played. The remote user is actually able to download the file to their computer and play it anyway they like independent on my PMS.
I can control the bandwidth issue if the extension respected my settings. I simply turn off the ability to download files and problem solved.
What other way would classify the problem I just described other than a hack, exploit or glitch? I’m not trying to prevent them from streaming remotely. I’m trying to prevent them from downloading and their setting to be able to do that is disabled. Yet it’s happening anyway.
At a fundamental level, streaming is just “downloading+playing”. Anybody with permission to stream can also save video.
There’s no deep way to allow somebody to stream video (which requires downloading) while also preventing them from downloading. Once the horse has left the barn, there’s no use closing the gate. (The closest thing would be DRM+encryption, but that doesn’t make sense for Plex.)
The official Plex clients just look at those settings to determine if they should offer the friendly “Download” option themselves.
PlxDwnld [*] makes the same types of requests that a user would make when streaming a video. Nothing nefarious.
Plex supports a variety of 3rd-party player apps. Some of them also allow saving.
Don’t let your friends borrow your car if they’re going to take it to the racetrack.
Don’t let your friends use your hose if they’re going to fill swimming pools.
Make a feature suggestion for the server to bandwidth-throttle streams and downloads. Or if you’re interested I can suggest some reverse proxy mitigations.
[*] What’s more alarming about PlxDwnld is that it can see any browser data, like your Plex authentication tokens. And the javascript for it is downloaded when it’s used, so it could be changed by the hoster. If the script host is malicious, it could exfiltrate that data.
I appreciate the input, but no, streaming isn’t downloading and playing. Technically you can say that buffer is a form of downloading, but no one can save the video. That’s why “downloading” is only permitted on devices like iPhones and iPads and not desktops or laptops. There’s no official file structure to extract the file from. I can’t download a file to my desktop or laptop thru Plex to watch offline, but I can on my iPhone and iPad.
You’re also missing the point of my problem and focusing on the process of how people stream things via Plex. Not why are people able to direct download entire files without streaming when the setting to do that is turned off.
The bottom line is PlxDwnld shouldn’t be able to bypass my settings. Except it is. That’s the problem. And to reiterate, this has nothing to do with streaming.
The desktop apps do allow downloading. On both phones and desktop, the downloaded/synced files are easily accessible in the filesystem.
The Plex apps politely observe the “Allow download …” server setting, but it doesn’t - can’t - prevent other apps from downloading.
From the server’s perspective there’s no difference between streaming and downloading. It’s just sending 1’s and 0’s. The server could choose to send these more slowly - if Plex improved that feature.
Once the 1’s and 0’s are sent, the server doesn’t have any control over them any more.
When the client receives them, it chooses what to do next - discard the bits immediately, or save them. Addressing this would require a DRM system.
That’s new since last year. Good to know. It still has absolutely NOTHING to do with what the problem is. I’ll just wait for a Plex employee to address this further.
As they stated before, “If people are able to download from your server, then they are not doing [it] officially. They may be using some other tool or hack to do so.” This exploit shouldn’t be allowed. Those 1’s and 0’s must adhere to rules and if there’s an unofficial way to get around those rules, it must be patched to prevent it.
There’s no official file structure to extract the file from
Sure there is, it’s just not exposed to the average user/admin
I can’t download a file to my desktop or laptop thru Plex to watch offline
Of course you can, if you have a PlexPass subscription
See: https://support.plex.tv/articles/downloads-on-desktop/
The bottom line is PlxDwnld shouldn’t be able to bypass my settings. Except it is. That’s the problem. And to reiterate, this has nothing to do with streaming.
well no, it shouldn’t but it does because of the way plex handles streaming and that download tool exploits it @Volts did a much better job explaining it in his previous post.
I’m aware of how you can access those files on devices, but the average person doesn’t know how.
Again, I will wait for a Plex employee to respond since this is drifting off topic and the responses, while informative and helpful, don’t address the problem I’m wishing to fix.
OK. I’m not trying to agitate you. I’m trying to use some different analogies to help make it clear how & why it works this way.
I’m not trying to convince you about how things should work, only that they work this way currently. This is true for any non-DRM-protected streaming media system.
@anon18523487 is a Plex employee and already mentioned in his first post that there really is no way to stop them. Not sure what else you are expecting to hear from Plex, it’s already been explained multiple times by @Volts and the fact that DRM would essentially need to be deployed to prevent this. It’s the same reason certain applications can download from certain streaming sites without issue and the only reason those are doable is because not everything is DRM’ed on those.
-Shark2k
Your responses are extremely insightful and quite informative. But they address how Plex streams and how Plex downloads. I’m not trying to prevent streaming, but I am trying to prevent downloading. There’s an option to enable or disable downloading privileges. The issue that I’m seeking to be addressed is why that’s being bypassed by this extensions… All the explanations of how something is downloaded is irrelevant when downloading is turned off. It’s like taking the car key away yet a person can still unlock your car with a special app that isn’t authorized to unlock the car. .
Again, I will wait for a Plex employee since no one is addressing the issue at hand.
This is about a setting being bypassed by an extension. That appears to be missed by those attempting to be helpful.
Please don’t respond to this thread unless you have something useful to contribute about Plex settings being ignored by extensions.
It’s like taking the car key away yet a person can still unlock your car with a special app that isn’t authorized to unlock the car. .
Yes, this is pretty much exactly what is happening…
and you said our explanations weren’t helpful.
Plex is aware of the exploit, they just haven’t done anything (if there can be anything done) to fix it.
You use to be able to click on any film/tv episode, click on get info and then view XML, and if you knew which parts of the URL to put together…
You could download anything you wanted from any shared server.
They have stopped exposing those bits in the XML, but it doesn’t mean they aren’t still there
