Description
Hi @r@roflcoopter! Firstly, congrats on a phenomenal piece of software. Great advances in this new version 3.0.0.
I've noticed that user roles are yet not implemented. So, any user (or the logged used if auth enabled) can easily delete the videos. It's a major security flaw for a system meant for security or access control. I wish to see at least a "view-only" role for a user in addition to the admin role in the near future realease.
I believe, while the role management isn't implemented, an easy temporary workaround would use an environment variable set to hide the delete video button in the UI, preventing video deletion by a malicious user.
Something like:
environment:
- PUID=1000
- PGID=1000
- ALLOW_DELETION=False
And a script could set a “disabled” attribute in the UI component. What do you think?