@Cagabi identified a security hole today in emoncms that affects multi-user installations, resulting from the way input process and virtual feed process list where set. I have since fixed the issue and the fix is now available in the latest stable and master branch of emoncms.
see: https://github.com/emoncms/emoncms/releases/tag/9.8.11
The input processing part of the issue allowed an emoncms user to add a process to an input that referenced a feed of another emoncms user on the same installation allowing both writing and reading of data - but only in realtime, historic data could not be overwritten or read. No meta data feed name, userid etc could be read. This could be achieved with a call to the underlying input set processlist API.
The virtual feed part allowed a user to access the full history of a feed from any other user on the installation by adding the source feed process with the feedid of any feed, which could be done with a call again to the underlying API.
Its worth noting that for emonpi and emonbase installations running emoncms locally with a single emoncms account created (default install) this issue cannot be exploited. Which means this is only an important update if your running a multi-user installation where the potentially exploiting user has an emoncms account.
The input processing part of the issue was present on emoncms.org (which has now been fixed), I ran a script to verify the content of all input process lists on all emoncms.org inputs and did not identify any processlists referencing feeds or inputs from other accounts.
Trystan