Skip to content

Miscellaneous improvements#22714

Merged
hawkeye217 merged 8 commits intodevfrom
misc-fixes
Mar 31, 2026
Merged

Miscellaneous improvements#22714
hawkeye217 merged 8 commits intodevfrom
misc-fixes

Conversation

@hawkeye217
Copy link
Copy Markdown
Collaborator

@hawkeye217 hawkeye217 commented Mar 31, 2026
edited
Loading

Please read the contributing guidelines before submitting a PR.

Proposed change

This PR makes improvements to features in dev:

  • Scrub GenAI API keys and ONVIF credentials from /api/config response
  • Enforce camera access in thumbnail tracked-object fallback path
  • Block filter and attach flags in custom ffmpeg export args
  • Enforce camera access on VLM monitor and chat start_camera_watch
  • Restrict review summary endpoint to admin role
  • Fix require_role string vs list bug on region grid endpoint
  • fix section config uiSchema merge replacing base entries

Type of change

  • Dependency upgrade
  • Bugfix (non-breaking change which fixes an issue)
  • New feature
  • Breaking change (fix/feature causing existing functionality to break)
  • Code quality improvements to existing code
  • Documentation Update

Additional information

  • This PR fixes or closes issue: fixes #
  • This PR is related to issue:
  • Link to discussion with maintainers (required for large/pinned features):

For new features

  • There is an existing feature request or discussion with community interest for this change.
    • Link:

AI disclosure

  • No AI tools were used in this PR.
  • AI tools were used in this PR. Details below:

AI tool(s) used (e.g., Claude, Copilot, ChatGPT, Cursor):

How AI was used (e.g., code generation, code review, debugging, documentation):

Extent of AI involvement (e.g., generated entire implementation, assisted with specific functions, suggested fixes):

Human oversight: Describe what manual review, testing, and validation you performed on the AI-generated portions.

Checklist

  • The code change is tested and works locally.
  • Local tests pass. Your PR cannot be merged unless tests pass
  • There is no commented out code in this PR.
  • I can explain every line of code in this PR if asked.
  • UI changes including text have used i18n keys and have been added to the en locale.
  • The code has been formatted using Ruff (ruff format frigate)

@hawkeye217
scrub genai API keys and onvif credentials from config endpoint
85df969
@hawkeye217
enforce camera access in thumbnail tracked-object fallback
c2220c8 
The /events/{id}/thumbnail endpoint called require_camera_access when
loading persisted events but skipped the check in the tracked-object
fallback path for in-progress events. A restricted viewer could
retrieve thumbnails from cameras they should not have access to.
@hawkeye217
block filter and attach flags in custom ffmpeg export args
2e4d8ed 
The ffmpeg argument blocklist missed -filter_complex, -lavfi, -vf,
-af, -filter, and -attach. These flags can read arbitrary files via
source filters like movie= and amovie=, bypassing the existing -i
block. A user with camera access could exploit this through the
custom export endpoint.
@hawkeye217
enforce camera access on VLM monitor endpoint
082f025 
POST /vlm/monitor allowed any authenticated user to start VLM
monitoring on any camera without checking camera access. A viewer
restricted to specific cameras could monitor cameras they should
not have access to.
@hawkeye217
enforce camera access in chat start_camera_watch tool
9a0ac6e 
The start_camera_watch tool called via POST /chat/completion did not
validate camera access, allowing a restricted viewer to start VLM
monitoring on cameras outside their allowed set through the chat
interface.
@hawkeye217
restrict review summary endpoint to admin role
75f2f3c
@hawkeye217
fix require_role call passing string instead of list
778d551
@ZhaiSoul
Copy link
Copy Markdown
Contributor

ZhaiSoul commented Mar 31, 2026

By the way, did the Reindex button for semantic search disappear?

@hawkeye217
Copy link
Copy Markdown
Collaborator Author

hawkeye217 commented Mar 31, 2026

By the way, did the Reindex button for semantic search disappear?

Looks like it did. Let me push a change.

@hawkeye217
fix section config uiSchema merge replacing base entries
a0f499d 
mergeSectionConfig was replacing the entire base uiSchema when a
level override (global/camera) also defined one, causing base-level
ui:after/ui:before directives to be silently dropped. This broke
the SemanticSearchReindex button which was defined in base uiSchema.
@hawkeye217 hawkeye217 merged commit b821420 into dev Mar 31, 2026
9 checks passed
@hawkeye217 hawkeye217 deleted the misc-fixes branch March 31, 2026 18:45
@ZhaiSoul
Copy link
Copy Markdown
Contributor

ZhaiSoul commented Mar 31, 2026

Also, I saw fields in Weblate for using different model configurations for specific detectors, but I didn’t see them being used on the page either. Is this feature not yet implemented, or is it a display issue?

@hawkeye217
Copy link
Copy Markdown
Collaborator Author

hawkeye217 commented Mar 31, 2026
edited
Loading

The Weblate strings exist because they were auto-generated from the full JSON schema, but special model fields are not yet implemented.

Actually, these are already implemented when a detector is added that has special fields. The fields are nested under detectors, not under model, so they appear in the Detector hardware section in the UI, not in the Detection model section.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NickM-27 NickM-27 NickM-27 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@hawkeye217 @ZhaiSoul @NickM-27