i am implementing an iphone client and it already works pretty nice.
i have a mt-daapd server running at home, currently about 16200 songs served.
but i can easily stream songs without using a password.
e.g. everybody could just call the url: http://myserver.com:3689/databases/1/items/15.mp3
and it would stream the song (if the item 15 exists and is a mp3 of course).
is this a bug or did i just setup my mt-daapd wrong?
the funny thing is, if i use songbirds daap pluging, it asks me about the mp3 password.
so is this pwd just a clients application thing.
and if you write your own client, you could just omit it?
what i am trying to say is…
i just want to password protect my files from being downloaded.
anybody could just make a script to get many files.
like “download http://myserver.com/databases/1/items/%5B1.mp3, 2.mp3, … 15320.mp3]”.
any idea how to prevent this situation?
It requires a login after my patch. Just tried it. So what you found is the same issue really. The patch fixes it as well.
Oh, and you need to set a user password. Otherwise you simply opt to give that info out unprotected. But I guess you did that as otherwise also the download is the same. No password=global sharing.
The bug here was that it was also sharing globally with a password without that patch.