From 375c824ea3d885520e50a5c6c4dc383e82f8c28d Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Tue, 9 Sep 2025 10:17:05 -0500
Subject: [PATCH] ensure admin and viewer are never overridden

---
 frigate/config/auth.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/frigate/config/auth.py b/frigate/config/auth.py
index ccfadd839..d1f7a5151 100644
--- a/frigate/config/auth.py
+++ b/frigate/config/auth.py
@@ -1,6 +1,6 @@
 from typing import Dict, List, Optional
 
-from pydantic import Field, field_validator
+from pydantic import Field, field_validator, model_validator
 
 from .base import FrigateBaseModel
 
@@ -48,9 +48,12 @@ class AuthConfig(FrigateBaseModel):
                 raise ValueError(
                     f"Invalid role name '{role}'. Must be alphanumeric with underscores."
                 )
-        # Default admin and viewer to empty lists if not present
-        if "admin" not in v:
-            v["admin"] = []
-        if "viewer" not in v:
-            v["viewer"] = []
         return v
+
+    @model_validator(mode="after")
+    def ensure_default_roles(self):
+        # Ensure admin and viewer are never overridden
+        self.roles["admin"] = []
+        self.roles["viewer"] = []
+
+        return self