2026-05-10 07:25:27 +03:00
3 changed files with 14 additions and 34 deletions
--- a/frigate/api/app.py
+++ b/frigate/api/app.py
@ -218,7 +218,7 @@ def config_raw_paths(request: Request):
    return JSONResponse(content=raw_paths)


-@router.get("/config/raw", dependencies=[Depends(require_role(["admin"]))])
+@router.get("/config/raw", dependencies=[Depends(allow_any_authenticated())])
 def config_raw():
    config_file = find_config_file()

@ -732,12 +732,7 @@ def get_recognized_license_plates(


@router.get("/timeline", dependencies=[Depends(allow_any_authenticated())])
-def timeline(
-    camera: str = "all",
-    limit: int = 100,
-    source_id: Optional[str] = None,
-    allowed_cameras: List[str] = Depends(get_allowed_cameras_for_filter),
-):
+def timeline(camera: str = "all", limit: int = 100, source_id: Optional[str] = None):
    clauses = []

    selected_columns = [
@ -759,9 +754,6 @@ def timeline(
        else:
            clauses.append((Timeline.source_id.in_(source_ids)))

-    # Enforce per-camera access control
-    clauses.append((Timeline.camera << allowed_cameras))
-
    if len(clauses) == 0:
        clauses.append((True))

@ -777,10 +769,7 @@ def timeline(


@router.get("/timeline/hourly", dependencies=[Depends(allow_any_authenticated())])
-def hourly_timeline(
-    params: AppTimelineHourlyQueryParameters = Depends(),
-    allowed_cameras: List[str] = Depends(get_allowed_cameras_for_filter),
-):
+def hourly_timeline(params: AppTimelineHourlyQueryParameters = Depends()):
    """Get hourly summary for timeline."""
    cameras = params.cameras
    labels = params.labels
@ -798,9 +787,6 @@ def hourly_timeline(
        camera_list = cameras.split(",")
        clauses.append((Timeline.camera << camera_list))

-    # Enforce per-camera access control
-    clauses.append((Timeline.camera << allowed_cameras))
-
    if labels != "all":
        label_list = labels.split(",")
        clauses.append((Timeline.data["label"] << label_list))
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@ -67,6 +67,7 @@ def require_admin_by_default():
        "/stats",
        "/stats/history",
        "/config",
+        "/config/raw",
        "/vainfo",
        "/nvinfo",
        "/labels",
--- a/frigate/api/media.py
+++ b/frigate/api/media.py
@ -1142,6 +1142,7 @@ async def event_snapshot(

@router.get(
    "/events/{event_id}/thumbnail.{extension}",
+    dependencies=[Depends(require_camera_access)],
 )
 async def event_thumbnail(
    request: Request,
@ -1343,12 +1344,12 @@ def grid_snapshot(

@router.get(
    "/events/{event_id}/snapshot-clean.webp",
+    dependencies=[Depends(require_camera_access)],
 )
-async def event_snapshot_clean(request: Request, event_id: str, download: bool = False):
+def event_snapshot_clean(request: Request, event_id: str, download: bool = False):
    webp_bytes = None
    try:
        event = Event.get(Event.id == event_id)
-        await require_camera_access(event.camera, request=request)
        snapshot_config = request.app.frigate_config.cameras[event.camera].snapshots
        if not (snapshot_config.enabled and event.has_snapshot):
            return JSONResponse(
@ -1469,7 +1470,7 @@ async def event_snapshot_clean(request: Request, event_id: str, download: bool =


@router.get(
-    "/events/{event_id}/clip.mp4",
+    "/events/{event_id}/clip.mp4", dependencies=[Depends(require_camera_access)]
 )
 async def event_clip(
    request: Request,
@ -1483,8 +1484,6 @@ async def event_clip(
            content={"success": False, "message": "Event not found"}, status_code=404
        )

-    await require_camera_access(event.camera, request=request)
-
    if not event.has_clip:
        return JSONResponse(
            content={"success": False, "message": "Clip not available"}, status_code=404
@ -1501,9 +1500,9 @@ async def event_clip(


@router.get(
-    "/events/{event_id}/preview.gif",
+    "/events/{event_id}/preview.gif", dependencies=[Depends(require_camera_access)]
 )
-async def event_preview(request: Request, event_id: str):
+def event_preview(request: Request, event_id: str):
    try:
        event: Event = Event.get(Event.id == event_id)
    except DoesNotExist:
@ -1511,8 +1510,6 @@ async def event_preview(request: Request, event_id: str):
            content={"success": False, "message": "Event not found"}, status_code=404
        )

-    await require_camera_access(event.camera, request=request)
-
    start_ts = event.start_time
    end_ts = start_ts + (
        min(event.end_time - event.start_time, 20) if event.end_time else 20
@ -1857,8 +1854,8 @@ def preview_mp4(
    )


-@router.get("/review/{event_id}/preview")
-async def review_preview(
+@router.get("/review/{event_id}/preview", dependencies=[Depends(require_camera_access)])
+def review_preview(
    request: Request,
    event_id: str,
    format: str = Query(default="gif", enum=["gif", "mp4"]),
@ -1871,8 +1868,6 @@ async def review_preview(
            status_code=404,
        )

-    await require_camera_access(review.camera, request=request)
-
    padding = 8
    start_ts = review.start_time - padding
    end_ts = (
@ -1886,12 +1881,10 @@ async def review_preview(


@router.get(
-    "/preview/{file_name}/thumbnail.jpg",
-    dependencies=[Depends(allow_any_authenticated())],
+    "/preview/{file_name}/thumbnail.jpg", dependencies=[Depends(require_camera_access)]
 )
@router.get(
-    "/preview/{file_name}/thumbnail.webp",
-    dependencies=[Depends(allow_any_authenticated())],
+    "/preview/{file_name}/thumbnail.webp", dependencies=[Depends(require_camera_access)]
 )
 def preview_thumbnail(file_name: str):
    """Get a thumbnail from the cached preview frames."""