security patch: model downloading policy is updated

doesn't allow model downloading if security level is high and ComfyUI is remotely accessible

glob/manager_core.py

@@ -23,7 +23,7 @@ sys.path.append(glob_path)
 import cm_global
 from manager_util import *
 
-version = [2, 46, 3]
+version = [2, 46, 4]
 version_str = f"V{version[0]}.{version[1]}" + (f'.{version[2]}' if len(version) > 2 else '')
 
 

glob/manager_server.py

@@ -985,6 +985,14 @@ async def install_model(request):
 
     model_path = get_model_path(json_data)
 
+    if not is_allowed_security_level('middle'):
+        print(f"ERROR: To use this action, a security_level of `middle or below` is required. Please contact the administrator.")
+        return web.Response(status=403)
+
+    if not json_data['name'].endswith('.safetensors') and not is_allowed_security_level('high'):
+        print(f"ERROR: To use this feature, you must set '--listen' to a local IP and set the security level to 'middle' or 'weak'. Please contact the administrator.")
+        return web.Response(status=403)
+
     res = False
 
     try:

pyproject.toml

@@ -1,7 +1,7 @@
 [project]
 name = "comfyui-manager"
 description = "ComfyUI-Manager provides features to install and manage custom nodes for ComfyUI, as well as various functionalities to assist with ComfyUI."
-version = "2.46.3"
+version = "2.46.4"
 license = "LICENSE"
 dependencies = ["GitPython", "PyGithub", "matrix-client==0.4.0", "transformers", "huggingface-hub>0.20", "typer", "rich", "typing-extensions"]