Fixes (#18897)

* Fix showing review items that span over multiple days * Simplify * Fix tests * Fix unchanged value * Allow admin as default role and viewer as passed header for proxy auth --------- Co-authored-by: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
2026-03-16 02:17:46 +01:00 · 2025-06-26 13:01:09 -06:00
parent 5593495abd
commit ea576e7468
3 changed files with 20 additions and 16 deletions
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -33,6 +33,7 @@ from frigate.models import User
 logger = logging.getLogger(__name__)

 router = APIRouter(tags=[Tags.auth])
+VALID_ROLES = ["admin", "viewer"]


 class RateLimiter:
@@ -272,12 +273,13 @@ def auth(request: Request):
            else proxy_config.default_role
        )

-        # if comma-separated with "admin", use "admin", else use default role
-        success_response.headers["remote-role"] = (
-            "admin"
-            if role
-            and "admin" in [r.strip() for r in role.split(proxy_config.separator)]
-            else proxy_config.default_role
+        # if comma-separated with "admin", use "admin",
+        # if comma-separated with "viewer", use "viewer",
+        # else use default role
+
+        roles = [r.strip() for r in role.split(proxy_config.separator)] if role else []
+        success_response.headers["remote-role"] = next(
+            (r for r in VALID_ROLES if r in roles), proxy_config.default_role
        )

        return success_response
@@ -402,7 +404,7 @@ def login(request: Request, body: AppPostLoginBody):
    password_hash = db_user.password_hash
    if verify_password(password, password_hash):
        role = getattr(db_user, "role", "viewer")
-        if role not in ["admin", "viewer"]:
+        if role not in VALID_ROLES:
            role = "viewer"  # Enforce valid roles
        expiration = int(time.time()) + JWT_SESSION_LENGTH
        encoded_jwt = create_encoded_jwt(user, role, expiration, request.app.jwt_token)
@@ -432,7 +434,7 @@ def create_user(
    if not re.match("^[A-Za-z0-9._]+$", body.username):
        return JSONResponse(content={"message": "Invalid username"}, status_code=400)

-    role = body.role if body.role in ["admin", "viewer"] else "viewer"
+    role = body.role if body.role in VALID_ROLES else "viewer"
    password_hash = hash_password(body.password, iterations=HASH_ITERATIONS)
    User.insert(
        {
@@ -503,7 +505,7 @@ async def update_role(
        return JSONResponse(
            content={"message": "Cannot modify admin user's role"}, status_code=403
        )
-    if body.role not in ["admin", "viewer"]:
+    if body.role not in VALID_ROLES:
        return JSONResponse(
            content={"message": "Role must be 'admin' or 'viewer'"}, status_code=400
        )
--- a/frigate/api/review.py
+++ b/frigate/api/review.py
@@ -58,9 +58,8 @@ async def review(
    )

    clauses = [
-        (ReviewSegment.start_time > after)
-        & (ReviewSegment.start_time < before)
-        & ((ReviewSegment.end_time.is_null(True)) | (ReviewSegment.end_time < before))
+        (ReviewSegment.start_time < before)
+        & ((ReviewSegment.end_time.is_null(True)) | (ReviewSegment.end_time > after))
    ]

    if cameras != "all":