You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When accessing OctoPrint as guest, you can (if set up correctly) start a print, pause a print, but never cancel a print.
If you can start a print, and are also allowed to pause a print (potentially ruining the part, too), you should be allowed to cancel a print. This behavior is inconsistent otherwise.
Any logged in user, even with the most restrictive permissions, would be able to cancel a print.
This issue is due to the way permissions are checked in printerstate.js:
The print and pause button check self.loginState.hasPermission(self.access.permissions.PRINT), while cancel requires self.loginState.loggedIn(). It should be the former as well, or maybe self.loginState.loggedIn() || self.loginState.hasPermission(self.access.permissions.PRINT) to prevent guests in an unsecured environment from messing with prints.
I am not sure if there are changes required in the backend, too.
As far as I am aware, the variant with the OR above has no adverse security implications, as by default, guests do not have print permission.
I use OctoPrint in an isolated LAN environment, and I want all users to be able to use the basic functionalities of the printer without requiring a login. This currently works, besides this limitation that guests with print permission cannot cancel a print.
Did the issue persist even in safe mode?
Yes, it did persist
If you could not test in safe mode, please state why ("currently printing" is NOT an excuse!)
No response
Version of OctoPrint
1.9.3
Operating system running OctoPrint
OctoPi
Printer model & used firmware incl. version
No response
Browser and version of browser, operating system running browser
No response
Checklist of files to include below
Systeminfo Bundle (always include!)
Contents of the JavaScript browser console (always include in cases of issues with the user interface)
Screenshots and/or videos showing the problem (always include in case of issues with the user interface)
GCODE file with which to reproduce (always include in case of issues with GCODE analysis or printing behaviour)
It looks like you didn't upload a system info bundle as requested by the template. A bundle is required to further process your issue. It contains important logs and system information to be able to put your issue into context and give pointers as to what has happened.
Please edit your original post above and upload a bundle zip file. Actually upload the file please and do not paste some link to a cloud provider, we want to have everything in one place here. Also do not unpack, repack or otherwise modify the bundle or its name, share it exactly like you get it from OctoPrint.
Without the availability of a bundle, your issue will have to be closed.
Thank you for your collaboration.
Thank you @codeceptsDE for adding a bundle! Now this can actually get looked at.
The problem
When accessing OctoPrint as guest, you can (if set up correctly) start a print, pause a print, but never cancel a print.
If you can start a print, and are also allowed to pause a print (potentially ruining the part, too), you should be allowed to cancel a print. This behavior is inconsistent otherwise.
Any logged in user, even with the most restrictive permissions, would be able to cancel a print.
This issue is due to the way permissions are checked in
printerstate.js
:OctoPrint/src/octoprint/static/js/app/viewmodels/printerstate.js
Lines 48 to 76 in cd0f476
The print and pause button check
self.loginState.hasPermission(self.access.permissions.PRINT)
, while cancel requiresself.loginState.loggedIn()
. It should be the former as well, or maybeself.loginState.loggedIn() || self.loginState.hasPermission(self.access.permissions.PRINT)
to prevent guests in an unsecured environment from messing with prints.I am not sure if there are changes required in the backend, too.
As far as I am aware, the variant with the OR above has no adverse security implications, as by default, guests do not have print permission.
I use OctoPrint in an isolated LAN environment, and I want all users to be able to use the basic functionalities of the printer without requiring a login. This currently works, besides this limitation that guests with print permission cannot cancel a print.
Did the issue persist even in safe mode?
Yes, it did persist
If you could not test in safe mode, please state why ("currently printing" is NOT an excuse!)
No response
Version of OctoPrint
1.9.3
Operating system running OctoPrint
OctoPi
Printer model & used firmware incl. version
No response
Browser and version of browser, operating system running browser
No response
Checklist of files to include below
Additional information & file uploads
No response
octoprint-systeminfo-20240416093746.zip
The text was updated successfully, but these errors were encountered: