prevent API options from being changed via API

modules/api/api.py

@@ -570,7 +570,7 @@ class Api:
             raise RuntimeError(f"model {checkpoint_name!r} not found")
 
         for k, v in req.items():
-            shared.opts.set(k, v)
+            shared.opts.set(k, v, is_api=True)
 
         shared.opts.save(shared.config_filename)
         return

modules/options.py

@@ -8,7 +8,7 @@ from modules.shared_cmd_options import cmd_opts
 
 
 class OptionInfo:
-    def __init__(self, default=None, label="", component=None, component_args=None, onchange=None, section=None, refresh=None, comment_before='', comment_after='', infotext=None):
+    def __init__(self, default=None, label="", component=None, component_args=None, onchange=None, section=None, refresh=None, comment_before='', comment_after='', infotext=None, restrict_api=False):
         self.default = default
         self.label = label
         self.component = component
@@ -26,6 +26,9 @@ class OptionInfo:
 
         self.infotext = infotext
 
+        self.restrict_api = restrict_api
+        """If True, the setting will not be accessible via API"""
+
     def link(self, label, url):
         self.comment_before += f"[<a href='{url}' target='_blank'>{label}</a>]"
         return self
@@ -71,7 +74,7 @@ options_builtin_fields = {"data_labels", "data", "restricted_opts", "typemap"}
 class Options:
     typemap = {int: float}
 
-    def __init__(self, data_labels, restricted_opts):
+    def __init__(self, data_labels: dict[str, OptionInfo], restricted_opts):
         self.data_labels = data_labels
         self.data = {k: v.default for k, v in self.data_labels.items()}
         self.restricted_opts = restricted_opts
@@ -113,14 +116,18 @@ class Options:
 
         return super(Options, self).__getattribute__(item)
 
-    def set(self, key, value):
+    def set(self, key, value, is_api=False):
         """sets an option and calls its onchange callback, returning True if the option changed and False otherwise"""
 
         oldval = self.data.get(key, None)
         if oldval == value:
             return False
 
-        if self.data_labels[key].do_not_save:
+        option = self.data_labels[key]
+        if option.do_not_save:
+            return False
+
+        if is_api and option.restrict_api:
             return False
 
         try:
@@ -128,9 +135,9 @@ class Options:
         except RuntimeError:
             return False
 
-        if self.data_labels[key].onchange is not None:
+        if option.onchange is not None:
             try:
-                self.data_labels[key].onchange()
+                option.onchange()
             except Exception as e:
                 errors.display(e, f"changing setting {key} to {value}")
                 setattr(self, key, oldval)

modules/shared_options.py

@@ -112,9 +112,9 @@ options_templates.update(options_section(('system', "System"), {
 }))
 
 options_templates.update(options_section(('API', "API"), {
-    "api_enable_requests": OptionInfo(True, "Allow http:// and https:// URLs for input images in API"),
+    "api_enable_requests": OptionInfo(True, "Allow http:// and https:// URLs for input images in API", restrict_api=True),
-    "api_forbid_local_requests": OptionInfo(True, "Forbid URLs to local resources"),
+    "api_forbid_local_requests": OptionInfo(True, "Forbid URLs to local resources", restrict_api=True),
-    "api_useragent": OptionInfo("", "User agent for requests"),
+    "api_useragent": OptionInfo("", "User agent for requests", restrict_api=True),
 }))
 
 options_templates.update(options_section(('training', "Training"), {