Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restricted user still has access on views and dashboards set at NOT visible to it if manually modifies the URL in browser #20655

Open
3 of 4 tasks
raduigret opened this issue Apr 28, 2024 · 1 comment
Open
3 of 4 tasks

Restricted user still has access on views and dashboards set at NOT visible to it if manually modifies the URL in browser #20655

raduigret opened this issue Apr 28, 2024 · 1 comment

Comments

@raduigret
Copy link

Checklist

  • I have updated to the latest available Home Assistant version.
  • I have cleared the cache of my browser.
  • I have tried a different browser to see if it is related to my browser.
  • I have tried reproducing the issue in safe mode to rule out problems with unsupported custom resources.

Describe the issue you are experiencing

I have set a user, lets call it MyNonAdmin user, with visibility rights only to 2 of 4 Views and only 1 of 2 dashboards.
Lovelace Dashboard (default) with views /Lovelace/0 and /Lovelace/1
Other Dashboard with views /Other/0, /Other/1, /Other/2, /Other/3

MyNonAdmin user is set to have visibility rights ONLY to views /Other/2 and /Other/3.

This works ok if only mouse is used to browse the interface, like NONE of Lovelace views is visible, only Lovelace Overview tab in side bar and only /Other/2, /Other/3 views tabs.

BUT, when I log with MyNonAdmin user in Chrome Incognito, if I manually change url from /Other/2, /Other/3 which are allowed to /Other/0, /Other/1 from same dashboard, with should not be allowed to view, I can see the content of those tabs, 0 and 1.
Further more, if change the url to /Lovelace/0 or /Lovelace/1, I can see also those views and their content, same as Admin user would see it.

Describe the behavior you expected

Visibility rights should not allow a user to view pages not assigned to it, no matter how it reaches those urls.

Steps to reproduce the issue

  1. Create a new dashboard and add 2 or more views
  2. Create a new non-admin user
  3. Set visibility for new user to only 1 of the new dashboard views, let's say /mydashboad/0 only
  4. Login with this user
  5. Manually change the url from /mydashboad/0 to /mydashboad/1 or /lovelace/0, /lovelace/1
  6. You should not be able to see the content of those views not set for visibility

What version of Home Assistant Core has the issue?

2024.4.3

What was the last working version of Home Assistant Core?

No response

In which browser are you experiencing the issue with?

Google Chrome 124.0.6367.92 (Official Build) (64-bit)

Which operating system are you using to run this browser?

Windows 10 Home (64-bit)

State of relevant entities

No response

Problem-relevant frontend configuration

No response

Javascript errors shown in your browser console/inspector

No response

Additional information

No response
@piitaya
Copy link
Member

piitaya commented Apr 29, 2024

This option is only about visibility, not restriction. It's totally normal to have access if you type the URL manually. It's explained in the documentation : https://www.home-assistant.io/dashboards/views/#visible

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@piitaya @raduigret