Miscellaneous fixes (0.17 beta) (#21934)

* improve chip tooltip display - use formatList to use i18n separators instead of commas - ensure the correct event type is used so sublabels are not run through normalization - remove smart-capitalization classes as translated labels use i18n (which includes capitalization) - give icons an optional key so that the console doesn't complain about duplication when rendering * Add grace period for recording segment checks to prevent spurious ffmpeg restarts * add admin precedence to proxy role_map resolution to prevent downgrade * clean up * formatting * work around radix pointer events issue when dialog is opened from drawer fixes https://github.com/blakeblackshear/frigate/discussions/21940 * prevent console warnings about missing titles and descriptions make these invisible with sr-only * remove duplicate language * Adjust handling for device sizes * Cleanup --------- Co-authored-by: Nicolas Mowen <nickmowen213@gmail.com>
2026-05-04 23:14:12 +02:00 · 2026-02-12 14:42:08 -06:00
parent e1005ac2a5
commit 67e3f8eefa
14 changed files with 268 additions and 122 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -439,10 +439,11 @@ def resolve_role(
    Determine the effective role for a request based on proxy headers and configuration.

    Order of resolution:
-      1. If a role header is defined in proxy_config.header_map.role:
-         - If a role_map is configured, treat the header as group claims
-           (split by proxy_config.separator) and map to roles.
-         - If no role_map is configured, treat the header as role names directly.
+            1. If a role header is defined in proxy_config.header_map.role:
+                 - If a role_map is configured, treat the header as group claims
+                     (split by proxy_config.separator) and map to roles.
+                     Admin matches short-circuit to admin.
+                 - If no role_map is configured, treat the header as role names directly.
      2. If no valid role is found, return proxy_config.default_role if it's valid in config_roles, else 'viewer'.

    Args:
@@ -492,6 +493,12 @@ def resolve_role(
        }
        logger.debug("Matched roles from role_map: %s", matched_roles)

+        # If admin matches, prioritize it to avoid accidental downgrade when
+        # users belong to both admin and lower-privilege groups.
+        if "admin" in matched_roles and "admin" in config_roles:
+            logger.debug("Resolved role (with role_map) to 'admin'.")
+            return "admin"
+
        if matched_roles:
            resolved = next(
                (r for r in config_roles if r in matched_roles), validated_default