[Bug]: Exports cannot be deleted by anonymous users with the viewer role but there is no indication in the UI about the failure

[nagisa]

Checklist

• I have updated to the latest available Frigate version.
• I have cleared the cache of my browser.
• I have tried a different browser to see if it is related to my browser.
• I have tried reproducing the issue in incognito mode to rule out problems with any third party extensions or plugins I have installed.
• I have asked the AI at https://docs.frigate.video about my issue.

Describe the problem you are having

In frigate users with the viewer role (incl. when authentication is disabled) are able to export parts of the recording. However going to the list of exports and attempting to delete the recording will fail without any feedback when pressing "delete" in the deletion confirmation dialog.

Internally the API call returns HTTP 403 and the following body

{"detail":"Role viewer not authorized. Required: admin"}

This makes some sense, but this message is not surfaced in the UI in any way and it looks just as if the button is not reacting to the input at all. The removal confirmation dialog stays open as well.

The UI should show some sort of an error message in this case.

Steps to reproduce

1. Disable authentication, visit frigate (by default the role is viewer;)
2. Export a part of a recording;
3. Go to /export and attempt to delete the recording;
4. Observe dev-tools.

Version

0.16.2

In which browser(s) are you experiencing the issue with?

Firefox

Frigate config file

audio:
  enabled: true
  listen:
    - bark
    - fire_alarm
    - scream
    - speech
    - yell
    - roar
    - growling
    - whimper_dog
    - crying
    - car_alarm
    - tire_squeal
auth:
  enabled: false
birdseye:
  enabled: false
cameras:
  a:
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/a_record
          roles:
            - record
            - audio
        - path: rtsp://127.0.0.1:8554/a_detect
          roles:
            - detect
    live:
      height: 960
      streams:
        Live: a_record
    motion:
      contour_area: 120
      threshold: 30
  c:
    audio:
      enabled: false
    detect:
      enabled: false
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/c
          roles:
            - record
    live:
      height: 960
      streams:
        Live: c
    motion:
      enabled: false
  g:
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/g_record
          roles:
            - record
            - audio
        - path: rtsp://127.0.0.1:8554/g_detect
          roles:
            - detect
    live:
      height: 960
      streams:
        Live: g_record
    motion:
      contour_area: 120
      mask:
        562,49,740,85,934,144,1013,170,1064,194,1039,272,968,240,841,229,724,210,604,200,482,191,330,191,350,29
      threshold: 25
  i:
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/i_record
          roles:
            - record
            - audio
        - path: rtsp://127.0.0.1:8554/i_detect
          roles:
            - detect
    live:
      height: 960
      streams:
        Live: i_record
    motion:
      contour_area: 120
      threshold: 40
  m:
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/m_record
          roles:
            - record
            - audio
        - path: rtsp://127.0.0.1:8554/m_detect
          roles:
            - detect
    live:
      height: 960
      streams:
        Live: m_record
    motion:
      contour_area: 96
      mask:
        0,626,135,557,360,502,586,425,809,340,883,274,948,239,1117,184,1198,99,1188,46,1092,16,947,0,516,37,243,98,0,181
      threshold: 45
  p:
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/p_record
          roles:
            - record
            - audio
        - path: rtsp://127.0.0.1:8554/p_detect
          roles:
            - detect
    live:
      height: 960
      streams:
        Live: p_record
    motion:
      contour_area: 96
      threshold: 45
  r:
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/r_record
          roles:
            - record
            - audio
        - path: rtsp://127.0.0.1:8554/r_detect
          roles:
            - detect
    live:
      height: 1280
      streams:
        Live: r_record
    motion:
      contour_area: 60
      frame_height: 320
      threshold: 30
  t:
    ffmpeg:
      inputs:
        - path: rtsp://127.0.0.1:8554/t_record
          roles:
            - record
            - audio
        - path: rtsp://127.0.0.1:8554/t_detect
          roles:
            - detect
    live:
      height: 960
      streams:
        Live: t_record
    motion:
      contour_area: 120
      threshold: 25
database:
  path: /var/lib/frigate/frigate.db
detect:
  enabled: true
  fps: 5
  max_disappeared: 50
  stationary:
    interval: 10
detectors:
  ov:
    device: GPU
    type: openvino
ffmpeg:
  hwaccel_args: preset-vaapi
  path: /nix/store/8m26k5nvbw67fp2l53vxvxhagx44599k-ffmpeg-headless-8.0-bin
go2rtc:
  api:
    listen: 127.0.0.1:1984
    origin: '*'
  ffmpeg:
    bin:
      /nix/store/8m26k5nvbw67fp2l53vxvxhagx44599k-ffmpeg-headless-8.0-bin/bin/ffmpeg
  rtsp: {}
  streams:
    a_detect:
      rtsp://....sdp
    a_record:
      - ffmpeg:rtsp://....sdp#video=copy#audio=aac
      - ffmpeg:aikstele_record#audio=opus
    c:
      ffmpeg:http://...#video=h264#hardware
    g_detect:
      rtsp://....sdp
    g_record:
      - ffmpeg:rtsp://....sdp#video=copy#audio=aac
      - ffmpeg:g_record#audio=opus
    i_detect:
      rtsp://....sdp
    i_record:
      - ffmpeg:rtsp://....sdp#video=copy#audio=aac
      - ffmpeg:i_record#audio=opus
    m_detect:
      rtsp://....sdp
    m_record:
      - ffmpeg:rtsp://....sdp#video=copy#audio=aac
      - ffmpeg:m_record#audio=opus
    p_detect:
      rtsp://....sdp
    p_record:
      - ffmpeg:rtsp://....sdp#video=copy#audio=aac
      - ffmpeg:p_record#audio=opus
    r_detect:
      rtsp://....sdp
    r_record:
      - ffmpeg:rtsp://....sdp#video=copy#audio=aac
      - ffmpeg:r_record#audio=opus
    t_detect:
      rtsp://....sdp
    t_record:
      - ffmpeg:rtsp://....sdp#video=copy#audio=aac
      - ffmpeg:t_record#audio=opus
  webrtc:
    candidates:
      - 192.168.100.1:8555
model:
  height: 320
  input_pixel_format: bgr
  labelmap_path: /var/lib/frigate/coco-80.txt
  model_type: yolonas
  path: /var/lib/frigate/models/yolo_nas_s.xml
  width: 320
motion:
  contour_area: 20
  frame_height: 240
  lightning_threshold: 0.3
  threshold: 30
mqtt:
  enabled: true
  host: mqtt.snip
objects:
  track:
    - person
    - bicycle
    - car
    - motorcycle
    - cat
    - dog
    - horse
    - sheep
    - cow
    - bear
    - zebra
record:
  alerts:
    retain: {}
    pre_capture: 3
    post_capture: 3
  detections:
    retain: {}
    pre_capture: 3
    post_capture: 3
  enabled: true
  retain:
    days: 3
    mode: all
review:
  alerts:
    labels: []
  detections:
    labels:
      - person
      - bicycle
      - car
      - motorcycle
      - cat
      - dog
      - horse
      - sheep
      - cow
      - bear
      - zebra
snapshots:
  enabled: false
telemetry:
  stats:
    amd_gpu_stats: false
    intel_gpu_stats: false
version: 0.16-0

docker-compose file or Docker CLI command

N/A (I use a nixos module)

Relevant Frigate log output

N/A

No relevant log messages at the default log levels

Relevant go2rtc log output

N/A

Not a go2rtc issue

Operating system

Other Linux

Install method

Home Assistant Add-on

Network connection

Wired

Camera make and model

Vivotek IT9380H

Screenshots of the Frigate UI's System metrics pages

Not relevant

Any other information that may be helpful

No response

[inkeep-ai-assistant[bot]]

Export Deletion Permissions and UI Feedback

You've identified a legitimate issue where the UI doesn't provide feedback when a viewer role user attempts to delete an export and receives a 403 error.

Current Behavior

When authentication is disabled, users have the viewer role by default(1). The DELETE endpoint for exports (DELETE /export/{event_id}) requires admin role permissions(2). When a viewer attempts to delete an export, the API returns:

{"detail":"Role viewer not authorized. Required: admin"}

(2)

However, the UI doesn't surface this error message, making it appear as though the delete button isn't working.

Configuration Context

With auth.enabled: False in your configuration(3), users are assigned the viewer role by default. The authentication configuration supports role-based access control where certain operations require admin privileges(1)(3).

Workaround

To allow export deletion, you would need to either:

1. Enable authentication and use an admin account
2. Change the default role (though this isn't recommended for security reasons)

The authentication configuration allows you to set auth.enabled: True and manage user roles appropriately(1)(3).

Issue Summary

This is a UI/UX issue where the frontend should display the 403 error message to inform users that they lack the necessary permissions to delete exports. The API is functioning correctly by enforcing role-based access control, but the UI needs to communicate this restriction to users.

📚 Sources:

1. Authentication
2. DELETE /export/{event_id}
3. Full Reference Config

---

Have another question? Just tag @inkeep.

[NickM-27]

Thanks, this has been addressed in #21141