Skip to content

Add SpoolTracker plugin#1378

Closed
thatguymendel wants to merge 1 commit intoOctoPrint:gh-pagesfrom
thatguymendel:spooltracker
Closed

Add SpoolTracker plugin#1378
thatguymendel wants to merge 1 commit intoOctoPrint:gh-pagesfrom
thatguymendel:spooltracker

Conversation

@thatguymendel
Copy link
Copy Markdown

@thatguymendel thatguymendel commented Jun 6, 2025

This PR adds the SpoolTracker plugin for simply tracking how much filament is left on your spool.

@jacopotediosi
Copy link
Copy Markdown
Member

jacopotediosi commented Jun 6, 2025
edited
Loading

Hi @thatguymendel,

I noticed that you closed your PR. Anyway, I still took a quick look at your plugin OctoPrint-SpoolTracker.

In your __init__.py, you’re using the SimpleApiPlugin Mixin, which by default does not enforce authentication or authorization checks.
I recommend explicitly implementing such checks, for example using the octoprint.access.permissions.Permissions class.

You can refer to how the OctoPrint built-in plugin action_command_notification does it here:
https://github.com/OctoPrint/OctoPrint/blob/65b6b33b93e5af8270e477ca0e755ab7d00ad4f8/src/octoprint/plugins/action_command_notification/__init__.py#L86-L88

Here you can find a list of predefined permissions you can check:
https://github.com/OctoPrint/OctoPrint/blob/65b6b33b93e5af8270e477ca0e755ab7d00ad4f8/src/octoprint/access/permissions.py#L270-L448

Alternatively, you can define custom permissions using the additional_permissions_hook.

I strongly suggest adding proper permission checks for both the on_api_get and on_api_command functions.
Without them, your plugin poses a security risk, as unauthenticated attackers could use its APIs.

@jneilliii
Copy link
Copy Markdown
Contributor

jneilliii commented Jun 6, 2025
edited
Loading

The simplest approach is to add this to the plugin right @jacopotediosi?

https://docs.octoprint.org/en/master/plugins/mixins.html#octoprint.plugin.SimpleApiPlugin.is_api_adminonly

def is_api_adminonly(self):
    return True

@jacopotediosi
Copy link
Copy Markdown
Member

jacopotediosi commented Jun 6, 2025

The simplest approach is to add this to the plugin right @jacopotediosi?

https://docs.octoprint.org/en/master/plugins/mixins.html#octoprint.plugin.SimpleApiPlugin.is_api_adminonly

def is_api_adminonly(self):
    return True

Not exactly the same thing.

is_api_adminonly restricts API access to users with the ADMIN permission and applies to all API commands uniformly.
By implementing the octoprint.access.permissions.Permissions class instead, you can define the required permissions more granularly and per individual command.

@jneilliii
Copy link
Copy Markdown
Contributor

jneilliii commented Jun 7, 2025

Yeah, that makes sense. I've done permission implementations in several of my plugins.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs review

Projects

OctoPrint Backlog
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thatguymendel @jacopotediosi @jneilliii @foosel