Deluge is accessable to anyone at (freedombox-url)/deluge with only the Deluge password between them and the interface
Feedback on a Problem or for Improvement
This seems counter-intuitive - the user setup allows & denies specific users torrent permissions, but anyone with the appropriate URL in hand can access the deluge page with only the Deluge password between them and the interface. No login to a user-account is necessary at all. If the deluge password is supplied, a non-logged-in user can access the Deluge page.
Only allow logged in users to access deluge as defined by user permissions. If not logged in, redirect (freedombox-url)/deluge to the login screen.
This should probably be considered a minor issue, as Deluge is behind a password, but at the minimum the manual should be updated to emphasize the importance of the Deluge password. I assumed that access was protected behind a Freedombox login, and I’d be safe using an embarassingly weak Deluge password…