enforce camera access on VLM monitor endpoint

POST /vlm/monitor allowed any authenticated user to start VLM
monitoring on any camera without checking camera access. A viewer
restricted to specific cameras could monitor cameras they should
not have access to.
This commit is contained in:
Josh Hawkins 2026-03-31 12:53:29 -05:00
parent 2e4d8ed661
commit 082f025509

View File

@ -15,6 +15,7 @@ from pydantic import BaseModel
from frigate.api.auth import ( from frigate.api.auth import (
allow_any_authenticated, allow_any_authenticated,
get_allowed_cameras_for_filter, get_allowed_cameras_for_filter,
require_camera_access,
) )
from frigate.api.defs.query.events_query_parameters import EventsQueryParams from frigate.api.defs.query.events_query_parameters import EventsQueryParams
from frigate.api.defs.request.chat_body import ChatCompletionRequest from frigate.api.defs.request.chat_body import ChatCompletionRequest
@ -1156,6 +1157,8 @@ async def start_vlm_monitor(
status_code=404, status_code=404,
) )
await require_camera_access(body.camera, request=request)
vision_client = genai_manager.vision_client or genai_manager.tool_client vision_client = genai_manager.vision_client or genai_manager.tool_client
if vision_client is None: if vision_client is None:
return JSONResponse( return JSONResponse(