One of the great things about Syncthing is the ability to monitor in a browser from anywhere. It would be great if a read-only account could be made to monitor progress without having access to make any changes to the settings of Syncthing. For example, this could be used for a lower-level system admin who monitors systems but reports problems to a supervisor rather than attempting to fix the issue themselves. If one of my devices is disconnected, I would want that reported to me right away, but I do not want my employees to attempt to fix the problem themselves. Currently if I want one of my employees to monitor a device they must log in as the single admin user.
Thanks for the great application! I searched and did not find a similar request. I am posting in Features because I assume this is a feature request.
I can certainly see the utility for it in an enterprise setting. However, I think multiple users are out of scope for the Syncthing core use case.
One thing I could see instead is multiple api keys, which could each be rw or ro. There’s a ticket somewhere on there about improving and hashing api keys somewhere.
I also could really use something like that.
It could also be simpler, like an “Allow Anonymous read access” flag so that users that do not login can read some data and users that login with the admin user/password are able do effectively administer it.
How about a second “Read Only Api Key” which just prevents access to most of the api call as a quick win? So at least the api can be used to get data and display them somehow.
If you are willing to contribute the feature, sure, I’ll gladly review any PR’s, yet the all API keys are visible in the config problem does not go away by having a second key.
I created a very small bootstrap frontend that uses the need, completion and scan api.
It looks like this:
I will look into the code and see if I could add a second api key which would allow only those (and maybe a bit more?) api calls.
I will look into the code and see if I could add a second api key which would allow only those (and maybe a bit more?) api calls.