.. _card-security: Enable Record Index Protection ======================================================= If the record index security is turned off, photos and attachments in records will be available by direct link, no matter what the user's rights are. Configure FindFace Multi to run all media requests through the DJANGO application for ACL checks to increase record index security. .. important:: Enable the record media security only if you need it, as this setting severely negatively impacts the system performance. .. important:: For the ACL checks to work properly, you must set the view permission for photos of faces, bodies, and vehicles stored in records. To do so, navigate :guilabel:`Settings` → :guilabel:`Roles` → specific role → :guilabel:`Permissions` and set :guilabel:`View` for the ``faceobject``, ``bodyobject``, and ``carobject`` entities, subject to the object types enabled in the system. See :ref:`create-role` for details. .. seealso:: :ref:`record-index` To enable record index security, do the following: #. Open the ``/opt/findface-multi/configs/findface-multi-legacy/findface-multi-legacy.py`` configuration file. Locate the ``OVERPROTECT_MEDIA`` parameter and set it ``True``. .. code:: sudo vi /opt/findface-multi/configs/findface-multi-legacy/findface-multi-legacy.py ... 'OVERPROTECT_MEDIA': True, #. Do the same in the ``/opt/findface-multi/configs/findface-multi-identity-provider/findface-multi-identity-provider.py`` configuration file: locate the ``OVERPROTECT_MEDIA`` parameter and set it ``True``. .. code:: sudo vi /opt/findface-multi/configs/findface-multi-identity-provider/findface-multi-identity-provider.py ... 'OVERPROTECT_MEDIA': True, #. Open the nginx configuration file ``/opt/findface-multi/configs/findface-multi-ui/nginx-site.conf``. Uncomment ``internal`` in the ``location /uploads`` section. .. code:: sudo vi /opt/findface-multi/configs/findface-multi-ui/nginx-site.conf location /uploads/ { internal; # Uncomment if you intend to enable OVERPROTECT_MEDIA ... } #. Restart the ``findface-multi-findface-multi-legacy-1``, ``findface-multi-findface-multi-identity-provider-1``, and ``findface-multi-findface-multi-ui-1`` containers. .. code:: sudo docker container restart findface-multi-findface-multi-legacy-1 sudo docker container restart findface-multi-findface-multi-identity-provider-1 sudo docker container restart findface-multi-findface-multi-ui-1 #. After the new security policy is applied, logged-in users must re-authenticate. To make the users do so, execute the logout-all command: .. code:: sudo docker container exec -it findface-multi-findface-multi-identity-provider-1 /opt/findface-security/bin/python3 /tigre_prototype/manage.py logout_all_users