From e888a08fd1ae41be47e966d7d5b2a640956b15e0 Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Thu, 11 Sep 2025 12:17:10 -0500
Subject: [PATCH] use validator to prevent reserved and empty roles from being
 assigned

---
 frigate/config/auth.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/frigate/config/auth.py b/frigate/config/auth.py
index d1f7a5151..fd5d0e394 100644
--- a/frigate/config/auth.py
+++ b/frigate/config/auth.py
@@ -48,6 +48,21 @@ class AuthConfig(FrigateBaseModel):
                 raise ValueError(
                     f"Invalid role name '{role}'. Must be alphanumeric with underscores."
                 )
+
+        # Ensure 'admin' and 'viewer' are not used as custom role names
+        reserved_roles = {"admin", "viewer"}
+        if v.keys() & reserved_roles:
+            raise ValueError(
+                f"Reserved roles {reserved_roles} cannot be used as custom roles."
+            )
+
+        # Ensure no role has an empty camera list
+        for role, allowed_cameras in v.items():
+            if not allowed_cameras:
+                raise ValueError(
+                    f"Role '{role}' has no cameras assigned. Custom roles must have at least one camera."
+                )
+
         return v
 
     @model_validator(mode="after")