From dce47642ef6d75684c9856ff24b9bbe76d40075a Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Wed, 26 Nov 2025 10:21:31 -0600
Subject: [PATCH] add missing exempt path

---
 frigate/api/auth.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index 9d8de09b9..737f3706b 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -86,7 +86,8 @@ def require_admin_by_default():
     # Path prefixes that should be exempt (for paths with parameters)
     EXEMPT_PREFIXES = (
         "/logs/",  # /logs/{service}
-        "/review",  # /review, /review/{id}, /review_ids, etc.
+        "/review",  # /review, /review/{id}, /review_ids, /review/summary, etc.
+        "/reviews/",  # /reviews/viewed, /reviews/delete
         "/events/",  # /events/{id}/thumbnail, etc. (camera-scoped)
         "/go2rtc/streams/",  # /go2rtc/streams/{camera}
         "/users/",  # /users/{username}/password (has own auth)
@@ -166,7 +167,7 @@ def allow_any_authenticated():
         role = request.headers.get("remote-role")
         if role == "admin":
             return
-        
+
         # Otherwise require a real authenticated user (not anonymous)
         if not _is_authenticated(request):
             raise HTTPException(status_code=401, detail="Authentication required")