feat: require RM admin for certain operations

rambo · rambo · commit 9b36d4e325e8 · 2025-06-27T22:31:50.000+03:00
diff --git a/src/rmmtxauthz/web/mediamtx.py b/src/rmmtxauthz/web/mediamtx.py
@@ -23,6 +23,10 @@ async def get_auth(authreq: MTXAuthReq) -> Response:
         if authreq.password != dbuser.mtxpassword:
             LOGGER.error("Wrong password for {}".format(authreq.user))
             raise HTTPException(status_code=403)
+        # Operations that require admin privileges
+        if authreq.action in ("api", "metrics", "pprof") and not dbuser.is_rmadmin:
+            LOGGER.error("{} is not admin requesting {}".format(authreq.user, authreq.action))
+            raise HTTPException(status_code=403)
         return Response(status_code=204)
     except (NotFound, Deleted) as exc:
         LOGGER.error("Invalid user {}: {}".format(authreq.user, exc))
