From 2be5225440fff96a4d04c0a22f7bbde355afc1f3 Mon Sep 17 00:00:00 2001 From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com> Date: Mon, 10 Mar 2025 10:00:35 -0500 Subject: [PATCH] More auth role fixes (#17067) * simplify check and handle comma separated roles * spacing --- frigate/api/auth.py | 17 +++++++++-------- web/src/components/auth/AuthForm.tsx | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/frigate/api/auth.py b/frigate/api/auth.py index 2be26cc8a..91ca5e729 100644 --- a/frigate/api/auth.py +++ b/frigate/api/auth.py @@ -265,11 +265,18 @@ def auth(request: Request): if user_header else "anonymous" ) - success_response.headers["remote-role"] = ( + role_header = proxy_config.header_map.role + role = ( request.headers.get(role_header, default="viewer") if role_header else "viewer" ) + + # if comma-separated with "admin", use "admin", else "viewer" + success_response.headers["remote-role"] = ( + "admin" if role and "admin" in role else "viewer" + ) + return success_response # now apply authentication @@ -359,14 +366,8 @@ def auth(request: Request): @router.get("/profile") def profile(request: Request): username = request.headers.get("remote-user", "anonymous") - role = request.headers.get("remote-role") + role = request.headers.get("remote-role", "viewer") - if role is None and username != "anonymous": - try: - user = User.get_by_id(username) - role = getattr(user, "role", "viewer") - except DoesNotExist: - role = "viewer" # Fallback if user deleted return JSONResponse(content={"username": username, "role": role}) diff --git a/web/src/components/auth/AuthForm.tsx b/web/src/components/auth/AuthForm.tsx index 617ce1693..85bd6bccb 100644 --- a/web/src/components/auth/AuthForm.tsx +++ b/web/src/components/auth/AuthForm.tsx @@ -87,7 +87,7 @@ export function UserAuthForm({ className, ...props }: UserAuthFormProps) { return (
- + (