Enhance user roles to limit camera access (#20024)

* update config for roles and add validator * ensure admin and viewer are never overridden * add class method to user to retrieve all allowed cameras * enforce config roles in auth api endpoints * add camera access api dependency functions * protect review endpoints * protect preview endpoints * rename param name for better fastapi injection matching * remove unneeded * protect export endpoints * protect event endpoints * protect media endpoints * update auth hook for allowed cameras * update default app view * ensure anonymous user always returns all cameras * limit cameras in explore * cameras is already a list * limit cameras in review/history * limit cameras in live view * limit cameras in camera groups * only show face library and classification in sidebar for admin * remove check in delete reviews since admin role is required, no need to check camera access. fixes failing test * pass request with camera access for tests * more async * camera access tests * fix proxy auth tests * allowed cameras for review tests * combine event tests and refactor for camera access * fix post validation for roles * don't limit roles in create user dialog * fix triggers endpoints no need to run require camera access dep since the required role is admin * fix type * create and edit role dialogs * delete role dialog * fix role change dialog * update settings view for roles * i18n changes * minor spacing tweaks * docs * use badges and camera name label component * clarify docs * display all cameras badge for admin and viewer * i18n fix * use validator to prevent reserved and empty roles from being assigned * split users and roles into separate tabs in settings * tweak docs * clarify docs * change icon * don't memoize roles always recalculate on component render
2025-09-26 19:41:29 +08:00 · 2025-09-12 06:19:29 -05:00
parent ba650af6f2
commit ed1e3a7c9a
41 changed files with 2286 additions and 739 deletions
--- a/web/public/locales/en/views/settings.json
+++ b/web/public/locales/en/views/settings.json
@@ -556,7 +556,68 @@
          "admin": "Admin",
          "adminDesc": "Full access to all features.",
          "viewer": "Viewer",
-          "viewerDesc": "Limited to Live dashboards, Review, Explore, and Exports only."
+          "viewerDesc": "Limited to Live dashboards, Review, Explore, and Exports only.",
+          "customDesc": "Custom role with specific camera access."
+        }
+      }
+    }
+  },
+  "roles": {
+    "management": {
+      "title": "Viewer Role Management",
+      "desc": "Manage custom viewer roles and their camera access permissions for this Frigate instance."
+    },
+    "addRole": "Add Role",
+    "table": {
+      "role": "Role",
+      "cameras": "Cameras",
+      "actions": "Actions",
+      "noRoles": "No custom roles found.",
+      "editCameras": "Edit Cameras",
+      "deleteRole": "Delete Role"
+    },
+    "toast": {
+      "success": {
+        "createRole": "Role {{role}} created successfully",
+        "updateCameras": "Cameras updated for role {{role}}",
+        "deleteRole": "Role {{role}} deleted successfully",
+        "userRolesUpdated": "{{count}} user(s) assigned to this role have been updated to 'viewer', which has access to all cameras."
+      },
+      "error": {
+        "createRoleFailed": "Failed to create role: {{errorMessage}}",
+        "updateCamerasFailed": "Failed to update cameras: {{errorMessage}}",
+        "deleteRoleFailed": "Failed to delete role: {{errorMessage}}",
+        "userUpdateFailed": "Failed to update user roles: {{errorMessage}}"
+      }
+    },
+    "dialog": {
+      "createRole": {
+        "title": "Create New Role",
+        "desc": "Add a new role and specify camera access permissions."
+      },
+      "editCameras": {
+        "title": "Edit Role Cameras",
+        "desc": "Update camera access for the role <strong>{{role}}</strong>."
+      },
+      "deleteRole": {
+        "title": "Delete Role",
+        "desc": "This action cannot be undone. This will permanently delete the role and assign any users with this role to the 'viewer' role, which will give viewer access to all cameras.",
+        "warn": "Are you sure you want to delete <strong>{{role}}</strong>?",
+        "deleting": "Deleting..."
+      },
+      "form": {
+        "role": {
+          "title": "Role Name",
+          "placeholder": "Enter role name",
+          "desc": "Only letters, numbers, periods and underscores allowed.",
+          "roleIsRequired": "Role name is required",
+          "roleOnlyInclude": "Role name may only include letters, numbers, . or _",
+          "roleExists": "A role with this name already exists."
+        },
+        "cameras": {
+          "title": "Cameras",
+          "desc": "Select cameras this role has access to. At least one camera is required.",
+          "required": "At least one camera must be selected."
        }
      }
    }