Had the same thought, and I agree, it is far too open for anyone just to alter the thing, but it seems the makers had no time to go deeper into this topic.
I had to reinstall my musicbox because I changed the password of ROOT and via SSH I could net get into it after that change.
Now being extra careful I checked first if root with standard password worked and slowly stepped to add the line musicbox_password after root_password.
Via SSH, because we do not want to hang it on a tv all the time, I need to access it for checkups and updates, I could access ROOT, pfew, that still works, but the user musicbox, no access…
Now, why is there talk in the manual about that it needs to be cosy in the safe lan environment but there is no level of security for those within that cosy and safe lan environment?
Please, I ask you dear programmers of this nifty working piece of software, please add the update to the whole software and not only the backend (read that somewhere) and please please add a level of security in the web page, at least for the settings, that is most important.