MyFavMirrors/moonfire-nvr
1
0
Fork 0
mirror of https://github.com/scottlamb/moonfire-nvr.git synced 2025-12-04 06:35:58 -05:00
Code Issues Packages Projects Releases Wiki Activity

add concept of user/session permissions

Browse Source 
(I also considered the names "capabilities" and "scopes", but I think
"permissions" is the most widely understood.)

This is increasingly necessary as the web API becomes more capable.
Among other things, it allows:

* non-administrator users who can view but not access camera passwords
  or change any state
* workers that update signal state based on cameras' built-in motion
  detection or a security system's events but don't need to view videos
* control over what can be done without authenticating

Currently session permissions are just copied from user permissions, but
you can also imagine admin sessions vs not, as a checkbox when signing
in. This would match the standard Unix workflow of using a
non-administrative session most of the time.

Relevant to my current signals work (#28) and to the addition of an
administrative API (#35, including #66).
This commit is contained in:
Scott Lamb
2019-06-19 15:17:50 -07:00
parent d8b8d5d5e0
commit fda7e4ca2b
23 changed files with 336 additions and 741 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
guide/install-manual.md
View File

@@ -84,7 +84,8 @@ Moonfire NVR can be run as a systemd service. Create
[Service]
ExecStart=/usr/local/bin/moonfire-nvr run \
--db-dir=/var/lib/moonfire-nvr/db \
--http-addr=0.0.0.0:8080
--http-addr=0.0.0.0:8080 \
--allow_unauthenticated_scopes='view_video: true'
Environment=TZ=:/etc/localtime
Environment=MOONFIRE_FORMAT=google-systemd
Environment=MOONFIRE_LOG=info

8
guide/secure.md
View File

@@ -154,12 +154,14 @@ In your `/etc/systemd/system/moonfire-nvr.service` file, look for these lines:
```
ExecStart=/usr/local/bin/moonfire-nvr run \
--db-dir=/var/lib/moonfire-nvr/db \
--http-addr=0.0.0.0:8080
--http-addr=0.0.0.0:8080 \
--allow-unauthenticated-permissions='view_video: true'
```
Add `--require-auth --trust-forward-hdrs`. This change has two effects:
Replace the last line with `--trust-forward-hdrs`. This change has two effects:
* `--require-auth` means that web users must authenticate.
* No `--allow-unauthenticated-permissions` means that web users must
authenticate.
* `--trust-forward-hdrs` means that Moonfire NVR will look for `X-Real-IP`
and `X-Forwarded-Proto` headers as added by the webserver configuration
in the next section.