Deluge is accessable to anyone at (freedombox-url)/deluge with only the Deluge password between them and the interface

Feedback on a Problem or for Improvement

Summary
This seems counter-intuitive - the user setup allows & denies specific users torrent permissions, but anyone with the appropriate URL in hand can access the deluge page with only the Deluge password between them and the interface. No login to a user-account is necessary at all. If the deluge password is supplied, a non-logged-in user can access the Deluge page.

Proposed Solution
Only allow logged in users to access deluge as defined by user permissions. If not logged in, redirect (freedombox-url)/deluge to the login screen.

This should probably be considered a minor issue, as Deluge is behind a password, but at the minimum the manual should be updated to emphasize the importance of the Deluge password. I assumed that access was protected behind a Freedombox login, and I’d be safe using an embarassingly weak Deluge password…

Thanks for pointing out this issue.

I have raised a merge request !1977 to put Deluge behind FreedomBox single sign-on, just like Transmission currently is.

Users belonging to either admin or bit-torrent user groups can access the web apps.