mypy

- allow users to select a plus model from the select even when one was not previously loaded
- always show model summary card
- add model filter popover
- add restart button totast

frigate/api/auth.py

@@ -26,7 +26,6 @@ from frigate.api.defs.request.app_body import (
     AppPutRoleBody,
 )
 from frigate.api.defs.tags import Tags
-from frigate.api.media_auth import check_camera_access, deny_response_for_media_uri
 from frigate.config import AuthConfig, NetworkingConfig, ProxyConfig
 from frigate.const import CONFIG_DIR, JWT_SECRET_ENV_VAR, PASSWORD_HASH_ALGORITHM
 from frigate.models import User
@@ -634,9 +633,6 @@ def auth(request: Request):
         logger.debug("X-Proxy-Secret header does not match configured secret value")
         return fail_response
 
-    original_url = request.headers.get("x-original-url")
-    frigate_config = request.app.frigate_config
-
     # if auth is disabled, just apply the proxy header map and return success
     if not auth_config.enabled:
         # pass the user header value from the upstream proxy if a mapping is specified
@@ -653,11 +649,6 @@ def auth(request: Request):
         role = resolve_role(request.headers, proxy_config, config_roles_set)
 
         success_response.headers["remote-role"] = role
-
-        deny_status = deny_response_for_media_uri(original_url, role, frigate_config)
-        if deny_status is not None:
-            return Response("", status_code=deny_status)
-
         return success_response
 
     # now apply authentication
@@ -752,11 +743,6 @@ def auth(request: Request):
 
         success_response.headers["remote-user"] = user
         success_response.headers["remote-role"] = role
-
-        deny_status = deny_response_for_media_uri(original_url, role, frigate_config)
-        if deny_status is not None:
-            return Response("", status_code=deny_status)
-
         return success_response
     except Exception as e:
         logger.error(f"Error parsing jwt: {e}")
@@ -1083,19 +1069,19 @@ async def require_camera_access(
         raise HTTPException(status_code=current_user.status_code, detail=detail)
 
     role = current_user["role"]
-    frigate_config = request.app.frigate_config
+    all_camera_names = set(request.app.frigate_config.cameras.keys())
+    roles_dict = request.app.frigate_config.auth.roles
+    allowed_cameras = User.get_allowed_cameras(role, roles_dict, all_camera_names)
 
-    if check_camera_access(role, camera_name, frigate_config):
+    # Admin or full access bypasses
+    if role == "admin" or not roles_dict.get(role):
         return
 
-    all_camera_names = set(frigate_config.cameras.keys())
-    allowed_cameras = User.get_allowed_cameras(
-        role, frigate_config.auth.roles, all_camera_names
-    )
-    raise HTTPException(
-        status_code=403,
-        detail=f"Access denied to camera '{camera_name}'. Allowed: {allowed_cameras}",
-    )
+    if camera_name not in allowed_cameras:
+        raise HTTPException(
+            status_code=403,
+            detail=f"Access denied to camera '{camera_name}'. Allowed: {allowed_cameras}",
+        )
 
 
 def _get_stream_owner_cameras(request: Request, stream_name: str) -> set[str]:

frigate/api/media_auth.py

@@ -1,291 +0,0 @@
-"""URI-aware authorization for nginx-served static media.
-
-The `/auth` endpoint (used as nginx `auth_request` target) calls into this
-module to classify the requested URI from the `X-Original-URL` header and, for
-camera-scoped resources, decide whether the current role may access them.
-
-Without this, `auth_request` only verifies the JWT — every authenticated user
-could read clips, recordings, and exports for *any* camera, bypassing the
-per-camera authorization the regular API enforces via `require_camera_access`.
-"""
-
-from __future__ import annotations
-
-import logging
-import os
-from enum import Enum
-from typing import Optional
-from urllib.parse import unquote, urlparse
-
-from peewee import DoesNotExist
-
-from frigate.config import FrigateConfig
-from frigate.const import EXPORT_DIR
-from frigate.models import Export, User
-
-logger = logging.getLogger(__name__)
-
-
-class MediaAuthResolution(str, Enum):
-    """Classification of an `X-Original-URL` path for media-auth purposes."""
-
-    CAMERA = "camera"
-    ADMIN_ONLY = "admin_only"
-    LISTING_MULTI_CAMERA = "listing_multi_camera"
-    LISTING_NEUTRAL = "listing_neutral"
-    # Under a recognized media root (/clips, /recordings, /exports) but
-    # unclassifiable (unknown subtree, no matching DB row, DB error).
-    # Restricted users are denied; admins/full-access roles are allowed
-    # (nginx will likely return 404 if the file genuinely doesn't exist).
-    UNRESOLVED_MEDIA = "unresolved_media"
-    # Not a media URI at all (e.g. /api/events, /login).
-    UNKNOWN = "unknown"
-
-
-def extract_path(original_url: Optional[str]) -> Optional[str]:
-    """Return the decoded path component of nginx's `X-Original-URL` header.
-
-    nginx forwards the *raw* request URI (with `..` segments intact) via
-    `$request_uri`. nginx normalizes the path before serving the file, so a
-    request like `/recordings/.../allowed_cam/../forbidden_cam/file.mp4`
-    would (1) parse as the allowed camera in our auth check, (2) be served
-    as the forbidden camera by nginx. To close the bypass we reject any URI
-    whose path contains `.` or `..` segments outright.
-    """
-    if not original_url:
-        return None
-
-    parsed = urlparse(original_url)
-    raw_path = parsed.path or original_url
-    decoded = unquote(raw_path)
-    if not decoded:
-        return None
-
-    if not decoded.startswith("/"):
-        decoded = "/" + decoded
-
-    segments = decoded.split("/")
-    if ".." in segments or "." in segments:
-        return None
-
-    return decoded
-
-
-def resolve_media_uri(
-    uri: str, frigate_config: Optional[FrigateConfig] = None
-) -> tuple[MediaAuthResolution, Optional[str]]:
-    """Classify a URI and return the owning camera if applicable.
-
-    `frigate_config` is used to disambiguate clip/review filenames whose
-    camera name contains hyphens by matching against the longest configured
-    camera-name prefix.
-    """
-    if not uri:
-        return MediaAuthResolution.UNKNOWN, None
-
-    parts = [p for p in uri.split("/") if p]
-    if not parts:
-        return MediaAuthResolution.UNKNOWN, None
-
-    root = parts[0]
-    if root == "recordings":
-        return _resolve_recording(parts)
-    if root == "clips":
-        return _resolve_clip(parts, frigate_config)
-    if root == "exports":
-        return _resolve_export(parts)
-
-    return MediaAuthResolution.UNKNOWN, None
-
-
-def _resolve_recording(
-    parts: list[str],
-) -> tuple[MediaAuthResolution, Optional[str]]:
-    # /recordings                          → neutral
-    # /recordings/{date}                   → neutral
-    # /recordings/{date}/{hour}            → multi-camera listing
-    # /recordings/{date}/{hour}/{cam}/...  → camera
-    if len(parts) <= 2:
-        return MediaAuthResolution.LISTING_NEUTRAL, None
-    if len(parts) == 3:
-        return MediaAuthResolution.LISTING_MULTI_CAMERA, None
-    return MediaAuthResolution.CAMERA, parts[3]
-
-
-def _resolve_clip(
-    parts: list[str], frigate_config: Optional[FrigateConfig]
-) -> tuple[MediaAuthResolution, Optional[str]]:
-    # /clips                                          → multi-camera listing
-    # /clips/thumbs/{cam}/...                         → camera
-    # /clips/previews/{cam}/...                       → camera
-    # /clips/review/thumb-{cam}-{review_id}.webp      → camera (parsed)
-    # /clips/faces/...                                → admin-only
-    # /clips/genai-requests/...                       → admin-only
-    # /clips/preview_restart_cache/...                → admin-only
-    # /clips/{model}/train|dataset/...                → admin-only
-    # /clips/{cam}-{event_id}[-clean].{ext}           → camera (parsed)
-    # other /clips/{subdir}/...                       → unresolved (deny restricted)
-    if len(parts) == 1:
-        return MediaAuthResolution.LISTING_MULTI_CAMERA, None
-
-    second = parts[1]
-
-    if second in ("thumbs", "previews"):
-        if len(parts) == 2:
-            return MediaAuthResolution.LISTING_MULTI_CAMERA, None
-        return MediaAuthResolution.CAMERA, parts[2]
-
-    if second == "review":
-        if len(parts) == 2:
-            return MediaAuthResolution.LISTING_MULTI_CAMERA, None
-        camera = _camera_from_thumb_filename(parts[2], frigate_config)
-        if camera:
-            return MediaAuthResolution.CAMERA, camera
-        return MediaAuthResolution.UNRESOLVED_MEDIA, None
-
-    if second in ("faces", "genai-requests", "preview_restart_cache"):
-        return MediaAuthResolution.ADMIN_ONLY, None
-
-    if len(parts) >= 3 and parts[2] in ("train", "dataset"):
-        return MediaAuthResolution.ADMIN_ONLY, None
-
-    if len(parts) == 2:
-        camera = _camera_from_clip_filename(second, frigate_config)
-        if camera:
-            return MediaAuthResolution.CAMERA, camera
-        return MediaAuthResolution.UNRESOLVED_MEDIA, None
-
-    return MediaAuthResolution.UNRESOLVED_MEDIA, None
-
-
-def _longest_prefix_camera(
-    stem: str, frigate_config: Optional[FrigateConfig]
-) -> Optional[str]:
-    if frigate_config is None:
-        return None
-    for cam in sorted(frigate_config.cameras.keys(), key=len, reverse=True):
-        if stem.startswith(cam + "-"):
-            return cam
-    return None
-
-
-def _camera_from_clip_filename(
-    filename: str, frigate_config: Optional[FrigateConfig]
-) -> Optional[str]:
-    """Match a flat clip filename `{camera}-{event_id}[-clean].{ext}` against
-    configured camera names. Longest-prefix wins so camera names containing
-    hyphens (e.g. `front-door`) resolve correctly.
-    """
-    dot = filename.rfind(".")
-    stem = filename[:dot] if dot > 0 else filename
-    return _longest_prefix_camera(stem, frigate_config)
-
-
-def _camera_from_thumb_filename(
-    filename: str, frigate_config: Optional[FrigateConfig]
-) -> Optional[str]:
-    """Match a review thumbnail filename `thumb-{camera}-{review_id}.webp`."""
-    if not filename.startswith("thumb-"):
-        return None
-    dot = filename.rfind(".")
-    stem = filename[len("thumb-") : dot] if dot > 0 else filename[len("thumb-") :]
-    return _longest_prefix_camera(stem, frigate_config)
-
-
-def _resolve_export(
-    parts: list[str],
-) -> tuple[MediaAuthResolution, Optional[str]]:
-    # /exports                  → multi-camera listing
-    # /exports/{filename}.mp4   → camera (DB lookup by exact path)
-    if len(parts) == 1:
-        return MediaAuthResolution.LISTING_MULTI_CAMERA, None
-    if len(parts) != 2:
-        return MediaAuthResolution.UNRESOLVED_MEDIA, None
-
-    filename = parts[1]
-    full_path = os.path.join(EXPORT_DIR, filename)
-    try:
-        export = Export.get(Export.video_path == full_path)
-        return MediaAuthResolution.CAMERA, export.camera
-    except DoesNotExist:
-        return MediaAuthResolution.UNRESOLVED_MEDIA, None
-    except Exception as e:
-        logger.warning("Export DB lookup failed for %s: %s", filename, e)
-        return MediaAuthResolution.UNRESOLVED_MEDIA, None
-
-
-def check_camera_access(role: str, camera: str, frigate_config: FrigateConfig) -> bool:
-    """Return True iff `role` may access `camera`.
-
-    Mirrors the gating logic in `require_camera_access`: admin and any role
-    without a non-empty allow-list bypass the check.
-    """
-    if role == "admin":
-        return True
-
-    roles_dict = frigate_config.auth.roles
-    if not roles_dict.get(role):
-        return True
-
-    all_camera_names = set(frigate_config.cameras.keys())
-    allowed = User.get_allowed_cameras(role, roles_dict, all_camera_names)
-    return camera in allowed
-
-
-def is_role_restricted(role: str, frigate_config: FrigateConfig) -> bool:
-    """True if `role` has a non-empty allow-list (i.e. not full-access)."""
-    if role == "admin":
-        return False
-    return bool(frigate_config.auth.roles.get(role))
-
-
-def deny_response_for_media_uri(
-    original_url: Optional[str], role: Optional[str], frigate_config: FrigateConfig
-) -> Optional[int]:
-    """Decide whether the current role should be blocked from `original_url`.
-
-    Returns an HTTP status code (403) when access should be denied, or `None`
-    when the request is allowed.
-    """
-    if not original_url:
-        return None
-
-    path = extract_path(original_url)
-
-    # `extract_path` returns None for URIs containing `.` or `..` segments.
-    # For media-root URIs that's a traversal attempt — deny outright. For
-    # non-media URIs, pass through (nginx / the backend handle them).
-    if path is None:
-        raw = urlparse(original_url).path or original_url
-        decoded = unquote(raw)
-        first = decoded.lstrip("/").split("/", 1)[0] if decoded else ""
-        if first in ("clips", "recordings", "exports"):
-            return 403
-        return None
-
-    resolution, camera = resolve_media_uri(path, frigate_config)
-    if resolution == MediaAuthResolution.UNKNOWN:
-        return None
-
-    if not role or role == "admin":
-        return None
-
-    if not is_role_restricted(role, frigate_config):
-        return None
-
-    if resolution == MediaAuthResolution.LISTING_NEUTRAL:
-        return None
-
-    if resolution in (
-        MediaAuthResolution.LISTING_MULTI_CAMERA,
-        MediaAuthResolution.ADMIN_ONLY,
-        MediaAuthResolution.UNRESOLVED_MEDIA,
-    ):
-        return 403
-
-    if resolution == MediaAuthResolution.CAMERA:
-        if camera and check_camera_access(role, camera, frigate_config):
-            return None
-        return 403
-
-    return 403

frigate/config/config.py

@@ -862,9 +862,7 @@ class FrigateConfig(FrigateBaseModel):
                     if mask_config:
                         coords = mask_config.coordinates
                         relative_coords = get_relative_coordinates(
-                            coords,
-                            camera_config.frame_shape,
-                            camera_name=camera_config.name,
+                            coords, camera_config.frame_shape
                         )
                         # Create a new ObjectMaskConfig with raw_coordinates set
                         processed_global_masks[mask_id] = ObjectMaskConfig(

frigate/test/test_media_auth.py

@@ -1,381 +0,0 @@
-"""Unit tests for `frigate.api.media_auth`.
-
-Covers URI classification, the role-vs-camera decision matrix, and the export
-DB-lookup path. These are pure functions/DB lookups — no HTTP stack involved.
-"""
-
-import datetime
-import logging
-import os
-import unittest
-
-from peewee_migrate import Router
-from playhouse.sqlite_ext import SqliteExtDatabase
-from playhouse.sqliteq import SqliteQueueDatabase
-
-from frigate.api.media_auth import (
-    MediaAuthResolution,
-    deny_response_for_media_uri,
-    extract_path,
-    resolve_media_uri,
-)
-from frigate.config import FrigateConfig
-from frigate.models import Event, Export, Recordings, ReviewSegment
-from frigate.test.const import TEST_DB, TEST_DB_CLEANUPS
-
-_CONFIG = {
-    "mqtt": {"host": "mqtt"},
-    "auth": {"roles": {"limited_user": ["front_door"]}},
-    "cameras": {
-        "front_door": {
-            "ffmpeg": {
-                "inputs": [{"path": "rtsp://10.0.0.1:554/video", "roles": ["detect"]}]
-            },
-            "detect": {"height": 1080, "width": 1920, "fps": 5},
-        },
-        "back_door": {
-            "ffmpeg": {
-                "inputs": [{"path": "rtsp://10.0.0.2:554/video", "roles": ["detect"]}]
-            },
-            "detect": {"height": 1080, "width": 1920, "fps": 5},
-        },
-        # Camera name with a hyphen — exercises longest-prefix match.
-        "back-yard": {
-            "ffmpeg": {
-                "inputs": [{"path": "rtsp://10.0.0.3:554/video", "roles": ["detect"]}]
-            },
-            "detect": {"height": 1080, "width": 1920, "fps": 5},
-        },
-    },
-}
-
-
-class TestExtractPath(unittest.TestCase):
-    def test_full_url(self):
-        self.assertEqual(
-            extract_path("http://host:8971/clips/front_door-1.jpg"),
-            "/clips/front_door-1.jpg",
-        )
-
-    def test_strips_query_string(self):
-        self.assertEqual(
-            extract_path("http://h/recordings/2026-05-11/14/front_door/00.00.mp4?t=1"),
-            "/recordings/2026-05-11/14/front_door/00.00.mp4",
-        )
-
-    def test_path_only(self):
-        self.assertEqual(extract_path("/exports/x.mp4"), "/exports/x.mp4")
-
-    def test_percent_decoded(self):
-        self.assertEqual(
-            extract_path("http://h/clips/front%20door-1.jpg"),
-            "/clips/front door-1.jpg",
-        )
-
-    def test_empty(self):
-        self.assertIsNone(extract_path(None))
-        self.assertIsNone(extract_path(""))
-
-
-class TestResolveMediaUri(unittest.TestCase):
-    def setUp(self):
-        self.config = FrigateConfig(**_CONFIG)
-
-    def _assert(self, uri, resolution, camera=None):
-        got_resolution, got_camera = resolve_media_uri(uri, self.config)
-        self.assertEqual(got_resolution, resolution, uri)
-        self.assertEqual(got_camera, camera, uri)
-
-    def test_unknown_paths(self):
-        self._assert("/api/events", MediaAuthResolution.UNKNOWN)
-        self._assert("/", MediaAuthResolution.UNKNOWN)
-        self._assert("", MediaAuthResolution.UNKNOWN)
-
-    def test_recordings(self):
-        self._assert("/recordings/", MediaAuthResolution.LISTING_NEUTRAL)
-        self._assert("/recordings/2026-05-11/", MediaAuthResolution.LISTING_NEUTRAL)
-        self._assert(
-            "/recordings/2026-05-11/14/", MediaAuthResolution.LISTING_MULTI_CAMERA
-        )
-        self._assert(
-            "/recordings/2026-05-11/14/front_door/",
-            MediaAuthResolution.CAMERA,
-            camera="front_door",
-        )
-        self._assert(
-            "/recordings/2026-05-11/14/back_door/00.00.mp4",
-            MediaAuthResolution.CAMERA,
-            camera="back_door",
-        )
-
-    def test_clip_flat_filename_resolves_camera(self):
-        self._assert(
-            "/clips/front_door-1234.jpg",
-            MediaAuthResolution.CAMERA,
-            camera="front_door",
-        )
-        self._assert(
-            "/clips/back_door-1234-clean.webp",
-            MediaAuthResolution.CAMERA,
-            camera="back_door",
-        )
-
-    def test_clip_filename_with_hyphenated_camera_name(self):
-        # Camera name "back-yard" itself contains a hyphen; longest-prefix
-        # match must pick `back-yard`, not the bogus `back` prefix.
-        self._assert(
-            "/clips/back-yard-1234.jpg",
-            MediaAuthResolution.CAMERA,
-            camera="back-yard",
-        )
-
-    def test_clip_filename_no_matching_camera(self):
-        # Looks like a media path but couldn't classify — fail closed for
-        # restricted users (UNRESOLVED_MEDIA), not pass-through.
-        self._assert(
-            "/clips/nonexistent-1234.jpg", MediaAuthResolution.UNRESOLVED_MEDIA
-        )
-
-    def test_clip_thumbs(self):
-        self._assert("/clips/thumbs/", MediaAuthResolution.LISTING_MULTI_CAMERA)
-        self._assert(
-            "/clips/thumbs/front_door/",
-            MediaAuthResolution.CAMERA,
-            camera="front_door",
-        )
-        self._assert(
-            "/clips/thumbs/back_door/abc.webp",
-            MediaAuthResolution.CAMERA,
-            camera="back_door",
-        )
-
-    def test_clip_previews(self):
-        self._assert("/clips/previews/", MediaAuthResolution.LISTING_MULTI_CAMERA)
-        self._assert(
-            "/clips/previews/front_door/",
-            MediaAuthResolution.CAMERA,
-            camera="front_door",
-        )
-        self._assert(
-            "/clips/previews/back_door/segment.mp4",
-            MediaAuthResolution.CAMERA,
-            camera="back_door",
-        )
-
-    def test_clip_review_thumbs(self):
-        # Format: /clips/review/thumb-{camera}-{review_id}.webp (frigate/review/maintainer.py).
-        self._assert(
-            "/clips/review/thumb-front_door-abc123.webp",
-            MediaAuthResolution.CAMERA,
-            camera="front_door",
-        )
-        # Hyphenated camera name — longest-prefix match.
-        self._assert(
-            "/clips/review/thumb-back-yard-abc123.webp",
-            MediaAuthResolution.CAMERA,
-            camera="back-yard",
-        )
-        # Unknown camera prefix → unresolved, not allowed for restricted users.
-        self._assert(
-            "/clips/review/thumb-unknown-cam-abc123.webp",
-            MediaAuthResolution.UNRESOLVED_MEDIA,
-        )
-
-    def test_clip_admin_only_subtrees(self):
-        self._assert("/clips/faces/train/foo.webp", MediaAuthResolution.ADMIN_ONLY)
-        self._assert("/clips/faces/", MediaAuthResolution.ADMIN_ONLY)
-        self._assert("/clips/genai-requests/x/0.webp", MediaAuthResolution.ADMIN_ONLY)
-        self._assert(
-            "/clips/preview_restart_cache/x.mp4", MediaAuthResolution.ADMIN_ONLY
-        )
-        self._assert("/clips/some_model/train/x.jpg", MediaAuthResolution.ADMIN_ONLY)
-        self._assert("/clips/some_model/dataset/x.jpg", MediaAuthResolution.ADMIN_ONLY)
-
-    def test_clip_unknown_subtree_is_unresolved(self):
-        # Unknown /clips/{x}/{y}/... subtree falls through as unresolved (not
-        # admin-only) so restricted users get 403 without admins being denied
-        # access to legitimate but unrecognized resources.
-        self._assert("/clips/random_dir/foo.jpg", MediaAuthResolution.UNRESOLVED_MEDIA)
-
-    def test_clip_top_level_listing(self):
-        self._assert("/clips/", MediaAuthResolution.LISTING_MULTI_CAMERA)
-
-    def test_exports_listing(self):
-        self._assert("/exports/", MediaAuthResolution.LISTING_MULTI_CAMERA)
-
-
-class TestExportResolution(unittest.TestCase):
-    """Export resolution requires a DB lookup."""
-
-    def setUp(self):
-        migrate_db = SqliteExtDatabase("test.db")
-        del logging.getLogger("peewee_migrate").handlers[:]
-        Router(migrate_db).run()
-        migrate_db.close()
-        self.db = SqliteQueueDatabase(TEST_DB)
-        self.db.bind([Event, ReviewSegment, Recordings, Export])
-        self.config = FrigateConfig(**_CONFIG)
-
-    def tearDown(self):
-        if not self.db.is_closed():
-            self.db.close()
-        for f in TEST_DB_CLEANUPS:
-            try:
-                os.remove(f)
-            except OSError:
-                pass
-
-    def _insert_export(self, export_id, camera, filename):
-        Export.insert(
-            id=export_id,
-            camera=camera,
-            name=f"export-{export_id}",
-            date=datetime.datetime.now(),
-            video_path=f"/media/frigate/exports/{filename}",
-            thumb_path=f"/media/frigate/exports/{filename}.jpg",
-            in_progress=False,
-        ).execute()
-
-    def test_export_resolves_camera(self):
-        self._insert_export(
-            "exp1", "back_door", "back_door_20260511_140000-20260511_150000_abc123.mp4"
-        )
-        resolution, camera = resolve_media_uri(
-            "/exports/back_door_20260511_140000-20260511_150000_abc123.mp4",
-            self.config,
-        )
-        self.assertEqual(resolution, MediaAuthResolution.CAMERA)
-        self.assertEqual(camera, "back_door")
-
-    def test_unknown_export_is_unresolved(self):
-        # No matching row → UNRESOLVED_MEDIA (fail closed for restricted users),
-        # not UNKNOWN (which would pass-through).
-        resolution, camera = resolve_media_uri(
-            "/exports/does_not_exist.mp4", self.config
-        )
-        self.assertEqual(resolution, MediaAuthResolution.UNRESOLVED_MEDIA)
-        self.assertIsNone(camera)
-
-    def test_export_anchored_match_not_endswith(self):
-        # Anchored exact-path equality must NOT match by filename suffix.
-        # A request like /exports/clip.mp4 must not authorize against a row at
-        # /media/frigate/exports/back_door_clip.mp4 just because the suffix matches.
-        self._insert_export("exp_bd", "back_door", "back_door_clip.mp4")
-        self._insert_export("exp_fd", "front_door", "front_door_clip.mp4")
-        resolution, _ = resolve_media_uri("/exports/clip.mp4", self.config)
-        self.assertEqual(resolution, MediaAuthResolution.UNRESOLVED_MEDIA)
-
-
-class TestDenyResponseForMediaUri(unittest.TestCase):
-    """End-to-end decision check used by /auth."""
-
-    def setUp(self):
-        self.config = FrigateConfig(**_CONFIG)
-
-    def _deny(self, url, role):
-        return deny_response_for_media_uri(url, role, self.config)
-
-    def test_admin_always_allowed(self):
-        self.assertIsNone(self._deny("/clips/back_door-1.jpg", "admin"))
-        self.assertIsNone(self._deny("/clips/", "admin"))
-        self.assertIsNone(self._deny("/clips/faces/x.webp", "admin"))
-        self.assertIsNone(
-            self._deny("/recordings/2026-05-11/14/back_door/00.00.mp4", "admin")
-        )
-
-    def test_unrestricted_role_allowed(self):
-        # "viewer" role has no entry in roles_dict → full access (matches the
-        # behavior of require_camera_access).
-        self.assertIsNone(self._deny("/clips/back_door-1.jpg", "viewer"))
-        self.assertIsNone(self._deny("/clips/", "viewer"))
-
-    def test_restricted_role_allowed_camera(self):
-        self.assertIsNone(self._deny("/clips/front_door-1.jpg", "limited_user"))
-        self.assertIsNone(
-            self._deny("/recordings/2026-05-11/14/front_door/00.00.mp4", "limited_user")
-        )
-        self.assertIsNone(
-            self._deny("/clips/thumbs/front_door/abc.webp", "limited_user")
-        )
-
-    def test_restricted_role_blocked_other_camera(self):
-        self.assertEqual(self._deny("/clips/back_door-1.jpg", "limited_user"), 403)
-        self.assertEqual(
-            self._deny("/recordings/2026-05-11/14/back_door/00.00.mp4", "limited_user"),
-            403,
-        )
-        self.assertEqual(
-            self._deny("/clips/thumbs/back_door/abc.webp", "limited_user"), 403
-        )
-
-    def test_restricted_role_blocked_admin_only(self):
-        self.assertEqual(self._deny("/clips/faces/train/foo.webp", "limited_user"), 403)
-
-    def test_restricted_role_blocked_multi_camera_listing(self):
-        self.assertEqual(self._deny("/clips/", "limited_user"), 403)
-        self.assertEqual(self._deny("/exports/", "limited_user"), 403)
-        self.assertEqual(self._deny("/recordings/2026-05-11/14/", "limited_user"), 403)
-
-    def test_restricted_role_allowed_neutral_listing(self):
-        self.assertIsNone(self._deny("/recordings/", "limited_user"))
-        self.assertIsNone(self._deny("/recordings/2026-05-11/", "limited_user"))
-
-    def test_non_media_uri_passes_through(self):
-        self.assertIsNone(self._deny("/api/events", "limited_user"))
-        self.assertIsNone(self._deny("http://h/login", "limited_user"))
-
-    def test_missing_header(self):
-        self.assertIsNone(self._deny(None, "limited_user"))
-        self.assertIsNone(self._deny("", "limited_user"))
-
-    def test_traversal_in_media_uri_denied_for_all_roles(self):
-        # Bypass attempt: parts[3] looks like an allowed camera, but the
-        # normalized path nginx would serve points at a forbidden camera.
-        # Both restricted and admin should be denied — the URI is malformed
-        # and we refuse to make an auth decision against it.
-        traversal_uris = [
-            "/recordings/2026-05-11/14/front_door/../back_door/00.00.mp4",
-            "/clips/front_door-1.jpg/../back_door-1.jpg",
-            "/exports/../recordings/2026-05-11/14/back_door/00.00.mp4",
-            "/clips/./back_door-1.jpg",
-        ]
-        for uri in traversal_uris:
-            self.assertEqual(self._deny(uri, "limited_user"), 403, uri)
-            self.assertEqual(self._deny(uri, "admin"), 403, uri)
-            self.assertEqual(self._deny(uri, "viewer"), 403, uri)
-
-    def test_traversal_outside_media_passes_through(self):
-        # `..` in non-media URIs is not our problem; the backend handles it.
-        self.assertIsNone(self._deny("/api/foo/../bar", "limited_user"))
-
-    def test_percent_encoded_traversal_denied(self):
-        # nginx may decode percent-encoded `%2E%2E` to `..` before serving;
-        # we must apply the same denial after percent-decoding.
-        self.assertEqual(
-            self._deny(
-                "/recordings/2026-05-11/14/front_door/%2E%2E/back_door/00.mp4",
-                "limited_user",
-            ),
-            403,
-        )
-
-    def test_unresolved_media_fails_closed_for_restricted(self):
-        # Restricted user requesting a media URI we can't classify (no DB row,
-        # unknown clip prefix, unknown clip subtree) must be denied.
-        self.assertEqual(self._deny("/clips/nonexistent-1.jpg", "limited_user"), 403)
-        self.assertEqual(self._deny("/clips/random_dir/foo.jpg", "limited_user"), 403)
-        self.assertEqual(
-            self._deny("/clips/review/thumb-unknown_cam-1.webp", "limited_user"),
-            403,
-        )
-
-    def test_unresolved_media_allowed_for_admin(self):
-        # Admin and full-access roles are *not* denied on UNRESOLVED_MEDIA —
-        # nginx returns 404 if the file doesn't exist on disk anyway, and we
-        # don't want a stale DB to lock out admins.
-        self.assertIsNone(self._deny("/clips/nonexistent-1.jpg", "admin"))
-        self.assertIsNone(self._deny("/clips/nonexistent-1.jpg", "viewer"))
-
-
-if __name__ == "__main__":
-    unittest.main()

frigate/util/config.py

@@ -608,14 +608,11 @@ def migrate_018_0(config: dict[str, dict[str, Any]]) -> dict[str, dict[str, Any]
 
 
 def get_relative_coordinates(
-    mask: Optional[Union[str, list]],
-    frame_shape: tuple[int, int],
-    camera_name: str = "",
+    mask: Optional[Union[str, list]], frame_shape: tuple[int, int]
 ) -> Union[str, list]:
     # masks and zones are saved as relative coordinates
     # we know if any points are > 1 then it is using the
     # old native resolution coordinates
-    where = f" for camera {camera_name}" if camera_name else ""
     if mask:
         if isinstance(mask, list) and any(x > "1.0" for x in mask[0].split(",")):
             relative_masks = []
@@ -630,7 +627,7 @@ def get_relative_coordinates(
 
                         if x > frame_shape[1] or y > frame_shape[0]:
                             logger.error(
-                                f"Not applying mask due to invalid coordinates{where}. {x},{y} is outside of the detection resolution {frame_shape[1]}x{frame_shape[0]}. Use the editor in the UI to correct the mask."
+                                f"Not applying mask due to invalid coordinates. {x},{y} is outside of the detection resolution {frame_shape[1]}x{frame_shape[0]}. Use the editor in the UI to correct the mask."
                             )
                             continue
 
@@ -653,7 +650,7 @@ def get_relative_coordinates(
 
                 if x > frame_shape[1] or y > frame_shape[0]:
                     logger.error(
-                        f"Not applying mask due to invalid coordinates{where}. {x},{y} is outside of the detection resolution {frame_shape[1]}x{frame_shape[0]}. Use the editor in the UI to correct the mask."
+                        f"Not applying mask due to invalid coordinates. {x},{y} is outside of the detection resolution {frame_shape[1]}x{frame_shape[0]}. Use the editor in the UI to correct the mask."
                     )
                     return []
 

web/public/locales/en/objects.json

@@ -125,5 +125,5 @@
   "baby": "Baby",
   "baby_stroller": "Baby Stroller",
   "rickshaw": "Rickshaw",
-  "rodent": "Rodent"
-}
+  "Rodent": "Rodent"
+}

web/src/components/config-form/section-configs/ffmpeg.ts

@@ -41,12 +41,19 @@ const ffmpeg: SectionConfigOverrides = {
       "input_args",
       "hwaccel_args",
       "output_args",
-      "apple_compatibility",
       "path",
+      "retry_interval",
+      "apple_compatibility",
+      "gpu",
+    ],
+    hiddenFields: [],
+    advancedFields: [
+      "path",
+      "global_args",
+      "retry_interval",
+      "apple_compatibility",
       "gpu",
     ],
-    hiddenFields: ["retry_interval"],
-    advancedFields: ["path", "global_args", "gpu"],
     overrideFields: [
       "inputs",
       "path",
@@ -54,6 +61,7 @@ const ffmpeg: SectionConfigOverrides = {
       "input_args",
       "hwaccel_args",
       "output_args",
+      "retry_interval",
       "apple_compatibility",
       "gpu",
     ],
@@ -117,10 +125,19 @@ const ffmpeg: SectionConfigOverrides = {
       "global_args",
       "input_args",
       "output_args",
+      "retry_interval",
+      "apple_compatibility",
+      "gpu",
+    ],
+    advancedFields: [
+      "global_args",
+      "input_args",
+      "output_args",
+      "path",
+      "retry_interval",
       "apple_compatibility",
       "gpu",
     ],
-    advancedFields: ["global_args", "input_args", "output_args", "path", "gpu"],
     uiSchema: {
       path: {
         "ui:options": { size: "md" },

web/src/components/config-form/sections/BaseSection.tsx

@@ -41,6 +41,7 @@ import Heading from "@/components/ui/heading";
 import get from "lodash/get";
 import cloneDeep from "lodash/cloneDeep";
 import isEqual from "lodash/isEqual";
+import merge from "lodash/merge";
 import {
   Collapsible,
   CollapsibleContent,
@@ -72,7 +73,6 @@ import {
   buildConfigDataForPath,
   flattenOverrides,
   getBaseCameraSectionValue,
-  mergeProfileOverrides,
   resolveHiddenFieldEntries,
   sanitizeSectionData as sharedSanitizeSectionData,
   requiresRestartForOverrides as sharedRequiresRestartForOverrides,
@@ -353,10 +353,7 @@ export function ConfigSection({
           `profiles.${profileName}.${sectionPath}`,
         );
         if (profileOverrides && typeof profileOverrides === "object") {
-          return mergeProfileOverrides(
-            (baseValue as object) ?? {},
-            profileOverrides as object,
-          );
+          return merge(cloneDeep(baseValue ?? {}), cloneDeep(profileOverrides));
         }
         return baseValue;
       }
@@ -1047,7 +1044,6 @@ export function ConfigSection({
           hiddenFields: effectiveHiddenFields,
           restartRequired: sectionConfig.restartRequired,
           requiresRestart,
-          isProfile: !!profileName,
         }}
       />
 

web/src/components/config-form/theme/widgets/OptionalFieldWidget.tsx

@@ -6,7 +6,6 @@ import { getWidget } from "@rjsf/utils";
 import { Switch } from "@/components/ui/switch";
 import { cn } from "@/lib/utils";
 import { getNonNullSchema } from "../fields/nullableUtils";
-import type { ConfigFormContext } from "@/types/configForm";
 
 export function OptionalFieldWidget(props: WidgetProps) {
   const { id, value, disabled, readonly, onChange, schema, options, registry } =
@@ -14,8 +13,6 @@ export function OptionalFieldWidget(props: WidgetProps) {
 
   const innerWidgetName = (options.innerWidget as string) || undefined;
   const isEnabled = value !== undefined && value !== null;
-  const formContext = registry?.formContext as ConfigFormContext | undefined;
-  const isProfile = !!formContext?.isProfile;
 
   // Extract the non-null branch from anyOf [Type, null]
   const innerSchema = getNonNullSchema(schema) ?? schema;
@@ -45,17 +42,10 @@ export function OptionalFieldWidget(props: WidgetProps) {
   const innerProps: WidgetProps = {
     ...props,
     schema: innerSchema,
-    disabled: disabled || readonly || (!isProfile && !isEnabled),
+    disabled: disabled || readonly || !isEnabled,
     value: isEnabled ? value : getDefaultValue(),
   };
 
-  // don't show the switch if we're editing in a profile
-  // to disable in a profile, users should edit the config manually, eg:
-  // skip_motion_threshold: None
-  if (isProfile) {
-    return <InnerWidget {...innerProps} />;
-  }
-
   return (
     <div className="flex items-center gap-3">
       <Switch

web/src/components/overlay/ClassificationSelectionDialog.tsx

@@ -102,19 +102,6 @@ export default function ClassificationSelectionDialog({
   // control
   const [newClass, setNewClass] = useState(false);
 
-  // Non-modal Radix DropdownMenu doesn't propagate wheel events to nested
-  // scroll containers, so attach a non-passive listener that scrolls manually.
-  const scrollContainerRef = useCallback((el: HTMLDivElement | null) => {
-    if (!el || !isDesktop) return;
-    const handleWheel = (e: WheelEvent) => {
-      if (el.scrollHeight <= el.clientHeight) return;
-      e.preventDefault();
-      el.scrollTop += e.deltaY;
-    };
-    el.addEventListener("wheel", handleWheel, { passive: false });
-    return () => el.removeEventListener("wheel", handleWheel);
-  }, []);
-
   // components
   const Selector = isDesktop ? DropdownMenu : Drawer;
   const SelectorTrigger = isDesktop ? DropdownMenuTrigger : DrawerTrigger;
@@ -127,8 +114,6 @@ export default function ClassificationSelectionDialog({
         </DrawerClose>
       );
 
-  // keep modal false on desktop to prevent dismissable layer pointer events
-  // issue with dialog auto-close
   return (
     <div className={className ?? "flex"}>
       <TextEntryDialog
@@ -137,60 +122,60 @@ export default function ClassificationSelectionDialog({
         title={t("createCategory.new")}
         onSave={(newCat) => onCategorizeImage(newCat)}
       />
-      <Selector {...(isDesktop ? { modal: false } : {})}>
-        <Tooltip>
-          <TooltipTrigger asChild={isChildButton}>
-            <SelectorTrigger asChild>{children}</SelectorTrigger>
-          </TooltipTrigger>
-          <TooltipContent>
-            {tooltipLabel ?? t("categorizeImage")}
-          </TooltipContent>
-        </Tooltip>
-        <SelectorContent
-          ref={scrollContainerRef}
-          className={cn(
-            isDesktop && "scrollbar-container max-h-[40dvh] overflow-y-auto",
-            isMobile && "mx-1 gap-2 rounded-t-2xl px-4",
-          )}
-          onCloseAutoFocus={(e) => e.preventDefault()}
-        >
-          {isMobile && (
-            <DrawerHeader className="sr-only">
-              <DrawerTitle>Details</DrawerTitle>
-              <DrawerDescription>Details</DrawerDescription>
-            </DrawerHeader>
-          )}
-          <DropdownMenuLabel>
-            {dialogLabel ?? t("categorizeImageAs")}
-          </DropdownMenuLabel>
-          <div className={cn("flex flex-col", isMobile && "gap-2 pb-4")}>
-            {filteredClasses
-              .sort((a, b) => {
-                if (a === "none") return 1;
-                if (b === "none") return -1;
-                return a.localeCompare(b);
-              })
-              .map((category) => (
-                <SelectorItem
-                  key={category}
-                  className="flex cursor-pointer gap-2 smart-capitalize"
-                  onClick={() => onCategorizeImage(category)}
-                >
-                  {category === "none"
-                    ? t("details.none")
-                    : category.replaceAll("_", " ")}
-                </SelectorItem>
-              ))}
-            <Separator />
-            <SelectorItem
-              className="flex cursor-pointer gap-2 smart-capitalize"
-              onClick={() => setNewClass(true)}
+
+      <Tooltip>
+        <Selector {...(isDesktop ? { modal: false } : {})}>
+          <SelectorTrigger asChild>
+            <TooltipTrigger asChild={isChildButton}>{children}</TooltipTrigger>
+          </SelectorTrigger>
+          <SelectorContent
+            className={cn("", isMobile && "mx-1 gap-2 rounded-t-2xl px-4")}
+            onCloseAutoFocus={(e) => e.preventDefault()}
+          >
+            {isMobile && (
+              <DrawerHeader className="sr-only">
+                <DrawerTitle>Details</DrawerTitle>
+                <DrawerDescription>Details</DrawerDescription>
+              </DrawerHeader>
+            )}
+            <DropdownMenuLabel>
+              {dialogLabel ?? t("categorizeImageAs")}
+            </DropdownMenuLabel>
+            <div
+              className={cn(
+                "flex max-h-[40dvh] flex-col overflow-y-auto",
+                isMobile && "gap-2 pb-4",
+              )}
             >
-              {t("createCategory.new")}
-            </SelectorItem>
-          </div>
-        </SelectorContent>
-      </Selector>
+              {filteredClasses
+                .sort((a, b) => {
+                  if (a === "none") return 1;
+                  if (b === "none") return -1;
+                  return a.localeCompare(b);
+                })
+                .map((category) => (
+                  <SelectorItem
+                    key={category}
+                    className="flex cursor-pointer gap-2 smart-capitalize"
+                    onClick={() => onCategorizeImage(category)}
+                  >
+                    {category === "none"
+                      ? t("details.none")
+                      : category.replaceAll("_", " ")}
+                  </SelectorItem>
+                ))}
+              <Separator />
+              <SelectorItem
+                className="flex cursor-pointer gap-2 smart-capitalize"
+                onClick={() => setNewClass(true)}
+              >
+                {t("createCategory.new")}
+              </SelectorItem>
+            </div>
+          </SelectorContent>
+        </Selector>
+        <TooltipContent>{tooltipLabel ?? t("categorizeImage")}</TooltipContent>
+      </Tooltip>
     </div>
   );
 }

web/src/components/overlay/FaceSelectionDialog.tsx

@@ -23,7 +23,7 @@ import {
 import { isDesktop, isMobile } from "react-device-detect";
 import { useTranslation } from "react-i18next";
 import { cn } from "@/lib/utils";
-import React, { ReactNode, useCallback, useMemo, useState } from "react";
+import React, { ReactNode, useMemo, useState } from "react";
 import TextEntryDialog from "./dialog/TextEntryDialog";
 import { Button } from "../ui/button";
 
@@ -61,19 +61,6 @@ export default function FaceSelectionDialog({
   // control
   const [newFace, setNewFace] = useState(false);
 
-  // Non-modal Radix DropdownMenu doesn't propagate wheel events to nested
-  // scroll containers, so attach a non-passive listener that scrolls manually.
-  const scrollContainerRef = useCallback((el: HTMLDivElement | null) => {
-    if (!el || !isDesktop) return;
-    const handleWheel = (e: WheelEvent) => {
-      if (el.scrollHeight <= el.clientHeight) return;
-      e.preventDefault();
-      el.scrollTop += e.deltaY;
-    };
-    el.addEventListener("wheel", handleWheel, { passive: false });
-    return () => el.removeEventListener("wheel", handleWheel);
-  }, []);
-
   // components
   const Selector = isDesktop ? DropdownMenu : Drawer;
   const SelectorTrigger = isDesktop ? DropdownMenuTrigger : DrawerTrigger;
@@ -86,8 +73,6 @@ export default function FaceSelectionDialog({
         </DrawerClose>
       );
 
-  // keep modal false on desktop to prevent dismissable layer pointer events
-  // issue with dialog auto-close
   return (
     <div className={className ?? "flex"}>
       {newFace && (
@@ -98,56 +83,52 @@ export default function FaceSelectionDialog({
           onSave={(newName) => onTrainAttempt(newName)}
         />
       )}
-      <Selector {...(isDesktop ? { modal: false } : {})}>
-        <Tooltip>
-          <TooltipTrigger asChild={isChildButton}>
-            <SelectorTrigger asChild>{children}</SelectorTrigger>
-          </TooltipTrigger>
-          <TooltipContent>{tooltipLabel ?? t("trainFace")}</TooltipContent>
-        </Tooltip>
-        <SelectorContent
-          ref={scrollContainerRef}
-          className={cn(
-            isDesktop && "scrollbar-container max-h-[40dvh] overflow-y-auto",
-            isMobile && "mx-1 gap-2 rounded-t-2xl px-4",
-          )}
-          onCloseAutoFocus={(e) => e.preventDefault()}
-        >
-          {isMobile && (
-            <DrawerHeader className="sr-only">
-              <DrawerTitle>Details</DrawerTitle>
-              <DrawerDescription>Details</DrawerDescription>
-            </DrawerHeader>
-          )}
-          <DropdownMenuLabel>
-            {dialogLabel ?? t("trainFaceAs")}
-          </DropdownMenuLabel>
-          <div
-            className={cn(
-              "flex flex-col",
-              isMobile &&
-                "max-h-[40dvh] gap-2 overflow-y-auto overflow-x-hidden pb-4",
-            )}
+
+      <Tooltip>
+        <Selector {...(isDesktop ? { modal: false } : {})}>
+          <SelectorTrigger asChild>
+            <TooltipTrigger asChild={isChildButton}>{children}</TooltipTrigger>
+          </SelectorTrigger>
+          <SelectorContent
+            className={cn("", isMobile && "mx-1 gap-2 rounded-t-2xl px-4")}
+            onCloseAutoFocus={(e) => e.preventDefault()}
           >
-            {filteredNames.sort().map((faceName) => (
-              <SelectorItem
-                key={faceName}
-                className="flex cursor-pointer gap-2 smart-capitalize"
-                onClick={() => onTrainAttempt(faceName)}
-              >
-                {faceName}
-              </SelectorItem>
-            ))}
-            <DropdownMenuSeparator />
-            <SelectorItem
-              className="flex cursor-pointer gap-2 smart-capitalize"
-              onClick={() => setNewFace(true)}
+            {isMobile && (
+              <DrawerHeader className="sr-only">
+                <DrawerTitle>Details</DrawerTitle>
+                <DrawerDescription>Details</DrawerDescription>
+              </DrawerHeader>
+            )}
+            <DropdownMenuLabel>
+              {dialogLabel ?? t("trainFaceAs")}
+            </DropdownMenuLabel>
+            <div
+              className={cn(
+                "flex max-h-[40dvh] flex-col overflow-y-auto overflow-x-hidden",
+                isMobile && "gap-2 pb-4",
+              )}
             >
-              {t("createFaceLibrary.new")}
-            </SelectorItem>
-          </div>
-        </SelectorContent>
-      </Selector>
+              {filteredNames.sort().map((faceName) => (
+                <SelectorItem
+                  key={faceName}
+                  className="flex cursor-pointer gap-2 smart-capitalize"
+                  onClick={() => onTrainAttempt(faceName)}
+                >
+                  {faceName}
+                </SelectorItem>
+              ))}
+              <DropdownMenuSeparator />
+              <SelectorItem
+                className="flex cursor-pointer gap-2 smart-capitalize"
+                onClick={() => setNewFace(true)}
+              >
+                {t("createFaceLibrary.new")}
+              </SelectorItem>
+            </div>
+          </SelectorContent>
+        </Selector>
+        <TooltipContent>{tooltipLabel ?? t("trainFace")}</TooltipContent>
+      </Tooltip>
     </div>
   );
 }

web/src/types/configForm.ts

@@ -44,5 +44,4 @@ export type ConfigFormContext = {
   requiresRestart?: boolean;
   t?: (key: string, options?: Record<string, unknown>) => string;
   renderers?: Record<string, RendererComponent>;
-  isProfile?: boolean;
 };

web/src/utils/configUtil.ts

@@ -6,6 +6,7 @@
 
 import get from "lodash/get";
 import cloneDeep from "lodash/cloneDeep";
+import merge from "lodash/merge";
 import unset from "lodash/unset";
 import isEqual from "lodash/isEqual";
 import mergeWith from "lodash/mergeWith";
@@ -91,32 +92,6 @@ export function getBaseCameraSectionValue(
   return base !== undefined ? base : get(cam, sectionPath);
 }
 
-// mergeWith customizer that replaces arrays wholesale instead of merging them
-// positionally by index. Used when the source value is meant to fully replace
-// the destination (e.g. profile overrides, section config overrides), so an
-// empty source array correctly clears the destination array.
-const replaceArraysCustomizer = (objValue: unknown, srcValue: unknown) => {
-  if (Array.isArray(objValue) || Array.isArray(srcValue)) {
-    return srcValue !== undefined ? srcValue : objValue;
-  }
-  return undefined;
-};
-
-// Merge profile overrides on top of base config values. Matches the backend's
-// deep_merge(overrides, base_data) semantics: arrays are replaced wholesale by
-// the profile's value rather than merged positionally, so an empty array in a
-// profile clears the base array instead of leaving stale entries behind.
-export function mergeProfileOverrides<T extends object>(
-  baseValue: T,
-  profileOverrides: object,
-): T {
-  return mergeWith(
-    cloneDeep(baseValue),
-    cloneDeep(profileOverrides),
-    replaceArraysCustomizer,
-  ) as T;
-}
-
 /** Sections that can appear inside a camera profile definition. */
 export const PROFILE_ELIGIBLE_SECTIONS = new Set([
   "audio",
@@ -589,9 +564,9 @@ export function prepareSectionSavePayload(opts: {
         baseValue &&
         typeof baseValue === "object"
       ) {
-        rawSectionValue = mergeProfileOverrides(
-          baseValue as object,
-          profileOverrides as object,
+        rawSectionValue = merge(
+          cloneDeep(baseValue),
+          cloneDeep(profileOverrides),
         );
       } else {
         rawSectionValue = baseValue;
@@ -700,12 +675,13 @@ const mergeSectionConfig = (
   overrides: Partial<SectionConfig> | undefined,
 ): SectionConfig =>
   mergeWith({}, base ?? {}, overrides ?? {}, (objValue, srcValue, key) => {
-    const arrayResult = replaceArraysCustomizer(objValue, srcValue);
-    if (arrayResult !== undefined) return arrayResult;
+    if (Array.isArray(objValue) || Array.isArray(srcValue)) {
+      return srcValue ?? objValue;
+    }
 
     if (key === "uiSchema") {
       if (objValue && srcValue) {
-        return mergeWith({}, objValue, srcValue, replaceArraysCustomizer);
+        return merge({}, objValue, srcValue);
       }
       return srcValue ?? objValue;
     }

web/src/views/settings/ObjectSettingsView.tsx

@@ -33,7 +33,6 @@ import { getTranslatedLabel } from "@/utils/i18n";
 import { useCameraFriendlyName } from "@/hooks/use-camera-friendly-name";
 import { AudioLevelGraph } from "@/components/audio/AudioLevelGraph";
 import { useWs } from "@/api/ws";
-import { cn } from "@/lib/utils";
 
 type ObjectSettingsViewProps = {
   selectedCamera?: string;
@@ -201,18 +200,15 @@ export default function ObjectSettingsView({
 
         <Tabs defaultValue="debug" className="w-full">
           <TabsList
-            className={cn(
-              "grid w-full",
-              cameraConfig.audio.enabled_in_config
-                ? "grid-cols-3"
-                : "grid-cols-2",
-            )}
+            className={`grid w-full ${cameraConfig.ffmpeg.inputs.some((input) => input.roles.includes("audio")) ? "grid-cols-3" : "grid-cols-2"}`}
           >
             <TabsTrigger value="debug">{t("debug.debugging")}</TabsTrigger>
             <TabsTrigger value="objectlist">
               {t("debug.objectList")}
             </TabsTrigger>
-            {cameraConfig.audio.enabled_in_config && (
+            {cameraConfig.ffmpeg.inputs.some((input) =>
+              input.roles.includes("audio"),
+            ) && (
               <TabsTrigger value="audio">{t("debug.audio.title")}</TabsTrigger>
             )}
           </TabsList>
@@ -329,7 +325,9 @@ export default function ObjectSettingsView({
           <TabsContent value="objectlist">
             <ObjectList cameraConfig={cameraConfig} objects={memoizedObjects} />
           </TabsContent>
-          {cameraConfig.audio.enabled_in_config && (
+          {cameraConfig.ffmpeg.inputs.some((input) =>
+            input.roles.includes("audio"),
+          ) && (
             <TabsContent value="audio">
               <AudioList
                 cameraConfig={cameraConfig}