4.6.2 (#950)

# Improvements
- Adds better validation for security passwords

# Bug Fixes
- Conditionally skip permission validation and setting on Windows
systems
- Improve cross-platform compatibility for authentication settings
handling
- Fixes bug where users cannot set up initial security through the webUI

**Full Changelog**:
v4.6.1...v4.6.2

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Actionbot <actions@github.com>

Author: 4 people

CHANGELOG

@@ -1,20 +1,9 @@
-# Requirements Updated
-- "argon2-cffi==25.1.0"
-- "slowapi==0.1.9"
-- "ruff==0.12.12"
-
-# New Features
-- Adds authentication support for the webUI and webAPI (Fixes #867)
-
 # Improvements
-- Enhanced `--web-server` option to support disabling with `--web-server=False` while maintaining backward compatibility
-- The `schedule.yml` is now renamed to `qbm_settings.yml` in order to support security features (Automatic migration)
-- Makes hyperlinks clickable in the webUI (Fixes #938)
+- Adds better validation for security passwords
 
 # Bug Fixes
-- Better support for windows paths when using remote_dir
-- Fix `QBT_CONFIG_DIR` not supporting folders with subdirectories (Fixes #934)
-- Fixes webUI not being packaged with PyPi builds
-- Fix bug in remove_orphaned where it's not able to start a new thread in concurrent runs
+- Conditionally skip permission validation and setting on Windows systems
+- Improve cross-platform compatibility for authentication settings handling
+- Fixes bug where users cannot set up initial security through the webUI
 
-**Full Changelog**: https://github.com/StuffAnThings/qbit_manage/compare/v4.6.0...v4.6.1
+**Full Changelog**: https://github.com/StuffAnThings/qbit_manage/compare/v4.6.1...v4.6.2

Makefile

@@ -300,6 +300,7 @@ prep-release:
 	patch=$$(echo "$$new_version" | cut -d. -f3); \
 	prev_patch=$$((patch - 1)); \
 	prev_version="$$major.$$minor.$$prev_patch"; \
+	git fetch origin master:master \
 	updated_deps=$$(git diff master..HEAD -- pyproject.toml | grep '^+' | grep '==' | sed 's/^+//' | sed 's/^ *//' | sed 's/,$$//' | sed 's/^/- /'); \
 	echo "# Requirements Updated" > CHANGELOG; \
 	if [ -n "$$updated_deps" ]; then \

VERSION

@@ -1 +1 @@
-4.6.1
+4.6.2

desktop/tauri/src-tauri/Cargo.lock

@@ -43,7 +43,7 @@ license = "MIT"
 name = "qbit-manage-desktop"
 repository = ""
 rust-version = "1.70"
-version = "4.6.1"
+version = "4.6.2"
 
 [target."cfg(unix)".dependencies]
 glib = "0.20.0"

desktop/tauri/src-tauri/Cargo.toml

@@ -68,5 +68,5 @@
   },
   "identifier": "com.qbitmanage.desktop",
   "productName": "qBit Manage",
-  "version": "4.6.1"
+  "version": "4.6.2"
 }

desktop/tauri/src-tauri/tauri.conf.json

@@ -17,7 +17,7 @@
 |      `-ru` or `--rem-unregistered`      |       QBT_REM_UNREGISTERED      |    rem_unregistered   | Use this if you would like to remove unregistered torrents. (It will the delete data & torrent if it is not being cross-seeded, otherwise it will just remove the torrent without deleting data). Trackers that have an error and not covered by the remove unregistered logic will also be tagged as `issue` for manual review.                                                                                                                           |       False       |
 |     `-tte` or `--tag-tracker-error`     |      QBT_TAG_TRACKER_ERROR      |    tag_tracker_error  | Use this if you would like to tag torrents that do not have a working tracker.                                                                                                                                                                                                                                                                                                                                                                             |       False       |
 |        `-ro` or `--rem-orphaned`        |         QBT_REM_ORPHANED        |      rem_orphaned     | Use this if you would like to remove orphaned files from your `root_dir` directory that are not referenced by any torrents. It will scan your `root_dir` directory and compare it with what is in qBittorrent. Any data not referenced in qBittorrent will be moved into `/data/torrents/orphaned_data` folder for you to review/delete.                                                                                                                   |       False       |
-|      `-tnhl` or `--tag-nohardlinks`     |       QBT_TAG_NOHARDLINKS       |     tag_nohardlinks   | Use this to tag any torrents that do not have any hard links associated with any of the files. This is useful for those that use Sonarr/Radarr that hard links your media files with the torrents for seeding. When files get upgraded they no longer become linked with your media therefore will be tagged with a new tag noHL. You can then safely delete/remove these torrents to free up any extra space that is not being used by your media folder. |       False       |
+|      `-tnhl` or `--tag-nohardlinks`     |       QBT_TAG_NOHARDLINKS       |     tag_nohardlinks   | Use this to tag any torrents where the torrent's largest file does not have any hardlinks associated with any of the files outside of your Qbit_Manage root directory. This is useful for those that use Sonarr/Radarr that hard links your media files with the torrents for seeding. When files get upgraded they no longer become linked with your media therefore will be tagged with a new tag noHL. You can then safely delete/remove these torrents to free up any extra space that is not being used by your media folder. Refer to the qbm hardlinks functionality documentation for details. |       False       |
 |        `-sl` or `--share-limits`        |         QBT_SHARE_LIMITS        |      share_limits     | Control how torrent share limits are set depending on the priority of your grouping. Each torrent will be matched with the share limit group with the highest priority that meets the group filter criteria. Each torrent can only be matched with one share limit group.                                                                                                                                                                                  |       False       |
 |        `-sc` or `--skip-cleanup`        |         QBT_SKIP_CLEANUP        |      skip_cleanup     | Use this to skip emptying the Recycle Bin folder (`/root_dir/.RecycleBin`) and Orphaned directory. (`/root_dir/orphaned_data`)                                                                                                                                                                                                                                                                                                                             |       False       |
 |           `-dr` or `--dry-run`          |           QBT_DRY_RUN           |         dry_run       | If you would like to see what is gonna happen but not actually move/delete or tag/categorize anything.                                                                                                                                                                                                                                                                                                                                                     |       False       |

docs/Commands.md

@@ -144,7 +144,7 @@ This section defines the tags used based upon the tracker's URL.
 | `cat`       | Set the category based on tracker URL. This category option takes priority over the category defined in [cat](#cat) | None           | <center>❌</center> |
 | `notifiarr` | Set this to the notifiarr react name. This is used to add indexer reactions to the notifications sent by Notifiarr  | None           | <center>❌</center> |
 
-If you are unsure what key word to use. Simply select a torrent within qB and down at the bottom you should see a tab that says `Trackers` within the list that is populated there are ea list of trackers that are associated with this torrent, select a keyword from there and add it to the config file. Make sure this key word is unique enough that the script will not get confused with any other tracker.
+If you are unsure what key word to use. Simply select a torrent within qB and down at the bottom you should see a tab that says `Trackers` within the list that is populated there are ea list of trackers that are associated with this torrent, select a keyword from there and add it to the config file. Make sure this keyword is unique enough that the script will not get confused with any other tracker.
 
 >[!TIP]
 > The `other` key is a special keyword and if defined will tag any other trackers that don't match the above trackers into this tag.
@@ -168,6 +168,9 @@ If you're needing information regarding hardlinks here are some excellent resour
 > Mandatory to fill out [directory parameter](#directory) above to use this function (root_dir/remote_dir)
 Beyond this you'll need to use one of the [categories](#cat) above as the key.
 
+This functionality will tag any torrent's whose file (or largest file if multi-file) does not have any hardlinks outside the qbm root_dir.
+Note that `ignore_root_dir` (Default: True) will ignore any hardlinks detected in the same root_dir.
+
 | Configuration | Definition                                                | Required           |
 | :------------ | :-------------------------------------------------------- | :----------------- |
 | `key`         | Category name to check for nohardlinked torrents in qbit. | <center>✅</center> |

docs/Config-Setup.md

@@ -4,6 +4,7 @@
 import hashlib
 import ipaddress
 import os
+import platform
 import re
 import secrets
 from collections import defaultdict
@@ -338,22 +339,25 @@ def _load_auth_settings(self) -> AuthSettings:
 
         try:
             if self.settings_path.exists():
-                # Check file permissions for security
-                try:
-                    stat_info = self.settings_path.stat()
-                    # Check if file is readable/writable by group or others (should be 600 or similar)
-                    if stat_info.st_mode & 0o077:  # Check if group/other has any permissions
-                        logger.warning(
-                            f"Settings file {self.settings_path} has overly permissive permissions. "
-                            f"Fixing to 600 (owner read/write only)."
-                        )
-                        try:
-                            os.chmod(str(self.settings_path), 0o600)
-                            logger.info(f"Fixed permissions for settings file {self.settings_path} to 600.")
-                        except OSError as e:
-                            logger.error(f"Could not fix permissions for settings file: {e}")
-                except (OSError, AttributeError) as e:
-                    logger.warning(f"Could not check permissions for settings file: {e}")
+                # Check file permissions for security (skip on Windows as it uses different permission model)
+                if platform.system() != "Windows":
+                    try:
+                        stat_info = self.settings_path.stat()
+                        # Check if file is readable/writable by group or others (should be 600 or similar)
+                        if stat_info.st_mode & 0o077:  # Check if group/other has any permissions
+                            logger.warning(
+                                f"Settings file {self.settings_path} has overly permissive permissions. "
+                                f"Fixing to 600 (owner read/write only)."
+                            )
+                            try:
+                                os.chmod(str(self.settings_path), 0o600)
+                                logger.info(f"Fixed permissions for settings file {self.settings_path} to 600.")
+                            except OSError as e:
+                                logger.error(f"Could not fix permissions for settings file: {e}")
+                    except (OSError, AttributeError) as e:
+                        logger.warning(f"Could not check permissions for settings file: {e}")
+                else:
+                    logger.debug("Skipping file permission check on Windows (uses different permission model)")
 
                 with open(self.settings_path, encoding="utf-8") as f:
                     yaml_loader = ruamel.yaml.YAML(typ="safe")
@@ -574,11 +578,14 @@ def save_auth_settings(settings_path: Path, settings: AuthSettings) -> bool:
         with open(settings_path, "w", encoding="utf-8") as f:
             yaml.dump(data, f)
 
-        # Set restrictive permissions (600 - owner read/write only)
-        try:
-            os.chmod(str(settings_path), 0o600)
-        except OSError as e:
-            logger.error(f"Could not set permissions for settings file: {e}")
+        # Set restrictive permissions (600 - owner read/write only) - skip on Windows
+        if platform.system() != "Windows":
+            try:
+                os.chmod(str(settings_path), 0o600)
+            except OSError as e:
+                logger.error(f"Could not set permissions for settings file: {e}")
+        else:
+            logger.debug("Skipping file permission setting on Windows (uses different permission model)")
 
         return True
     except Exception as e:

modules/auth.py

@@ -1725,17 +1725,26 @@ async def update_security_settings(self, request: SecuritySettingsRequest, req:
                 f"has_username={bool(current_settings.username)}"
             )
 
+            # Check if this is initial setup (no authentication currently configured)
+            is_initial_setup = not current_settings.enabled or (
+                current_settings.method == "none" and not current_settings.username and not current_settings.api_key
+            )
+
             # Check if client is local and bypass_auth_for_local is enabled
             if current_settings.bypass_auth_for_local and is_local_ip(req, current_settings.trusted_proxies):
                 logger.trace("Local client with bypass_auth_for_local enabled, skipping credential verification")
                 auth_verified = True
+            elif is_initial_setup:
+                # Allow initial setup without credentials when no authentication is configured
+                logger.trace("Initial authentication setup detected, skipping credential verification")
+                auth_verified = True
             else:
                 # Verify current credentials for reauthentication
                 auth_verified = False
 
             # First, try credentials provided in the request body
             # Try API key verification first
-            if request.current_api_key and current_settings.api_key:
+            if not auth_verified and request.current_api_key and current_settings.api_key:
                 logger.trace("Attempting API key verification from request body")
                 if verify_api_key(request.current_api_key, current_settings.api_key):
                     auth_verified = True
@@ -1786,8 +1795,8 @@ async def update_security_settings(self, request: SecuritySettingsRequest, req:
                         except Exception as e:
                             logger.warning(f"Error parsing Basic auth header: {e}")
 
-            # If neither method worked, require authentication
-            if not auth_verified:
+            # If neither method worked and it's not initial setup, require authentication
+            if not auth_verified and not is_initial_setup:
                 logger.warning("No valid current credentials provided for security settings update")
                 return {"success": False, "message": "Current credentials required to update security settings"}