You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I want to use the web plugin to allow queries of my music on my LAN, but I want to maintain full control over updates, with no updates or deletions allowed using the web API.
Of course, I am not exposing the beets web API to the internet, but I don't even want to risk accidental changes by a web user if the web screens were to be updated to allow that, for example.
Solution
While it is possible to use various external security capabilities, such as hiding behind a full-featured web server, etc., I would like a simple config setting to allow me to say "my beets web is only for read-only access".
I propose adding a simple config setting for web: readonly with a boolean true/false value. It would need to default to false since it was not added at the same time as DELETE and PATCH were added, but would still be useful to allow read-only usage.
I expect to have a simple implementation in a couple of days.
Alternatives
A full access control mechanism with accounts might be nice but is probably overkill. A simple readonly setting to disallow DELETE and PATCH and return to only allowing queries would be enough initially, and should have been provided when the additional commands were added.
Presumably a separate user could be set up with read-only access to the database, but that is a lot of work just to prevent something which should not have been allowed by default in the first place.
The text was updated successfully, but these errors were encountered:
This would be great! In fact, I think it would be good to make readonly: yes the default so people aren't surprised that running a server gives people access to editing their library.
Use case
I want to use the web plugin to allow queries of my music on my LAN, but I want to maintain full control over updates, with no updates or deletions allowed using the web API.
Of course, I am not exposing the beets web API to the internet, but I don't even want to risk accidental changes by a web user if the web screens were to be updated to allow that, for example.
Solution
While it is possible to use various external security capabilities, such as hiding behind a full-featured web server, etc., I would like a simple config setting to allow me to say "my beets web is only for read-only access".
I propose adding a simple config setting for web:
readonly
with a boolean true/false value. It would need to default to false since it was not added at the same time as DELETE and PATCH were added, but would still be useful to allow read-only usage.I expect to have a simple implementation in a couple of days.
Alternatives
readonly
setting to disallow DELETE and PATCH and return to only allowing queries would be enough initially, and should have been provided when the additional commands were added.The text was updated successfully, but these errors were encountered: