Comfy-Org
[Feature request] Allow users to manually change the security level in the FE or hide features that are not allowed in the current security level config.
When users install custom nodes and choose the nightly version, they will install the custom nodes from GitHub. However, since the default security_level is set to normal, users may be confused as to why they can't install custom nodes.
Also, there is too little information in the prompt. Users who don't know how to change the security_level setting will only feel frustrated.
Here's my advice
1. Only show interface features allowed by the user's current security settings.
Such as hide the "nightly version" or don't use the "nightly" as default version (but seems lot of custom node only have nightly)
Don't show the install PIP package and install via Git URL if their security_level isn't weak.
Otherwise, when users try to use these features for the first time, they will be confused about why they can't install custom nodes.
2. Allow users change the security level in the FE
I think a lot of users still look up how to fix security level issues every day. Whatever the outcome, they always set the security to 'weak' once they figure out how.
So why not allow users to change security settings in the FE? But we should make sure users fully understand the consequences and risks. Add more details in the prompt, then let users decide whether to change the settings or not.
Especially for beginners, they may not know much about computers or ComfyUI. Sometimes they might not even know how to update the config.ini
3. Add more details in the prompt.
The current prompt lacks information. Should we add more details to tell users how they can change the security settings?
Such as "This action is not allowed with this security level configuration. If you need to, you can change the security level to weak in the ComfyUI/user/default/ComfyUI-Manager/config.ini. [Notice] Please make sure you know what it means, otherwise you shouldn't change this setting."
Option 2 and 3 seem good. Making security level configurable from the client has issues e.g. when a server is serving multiple clients.
In ComfyUI-Manager v3.33.4, when installing a custom node, the latest is now the default option. But the desktop is still using 3.30.4, which is why when I took the screenshot, nightly was still the default option.
This feature should be available only in the Desktop version. Security settings should not be editable remotely.
You could keep the issue open for the UI adjustments. It makes sense to hide things that are disabled by security level, maybe.
Can someone clarify what does latest protect against vs nightly ?
Latest means the latest stable version, and the custom node will be downloaded from the ComfyUI registry server (The custom node has undergone some security scans). For the nightly version, it will be downloaded from Github, which may contain malicious code.
The custom node has undergone some security scans
Nice thanks, I did not know that subtlety. It does make sense then
I watched it repeatedly and didn't know if this was the answer, but I couldn't update the plugin, and I set all security to the minimum before I saw this post
