Allow fritzbox integrations to work (resticted) without admin access

somebody · January 22, 2022, 6:15pm

I want to use the fritz integrations to show the state of the accessible sensors and to have access to the callmonitor and the fritz fon. This can be done without giving administrator rights to the fritzbox user.
Unfortunately the fritzbox integrations (tools and call monitor) refuses to work without administrator rights, however this is not necessary for restricted access. For security reasons i don’t want to give home assistant full control over my fritzbox. I think the integrations should support the access, which the user is given by the fritzbox configuration.

Thanks in advance!

RobertoD91 · February 27, 2022, 4:46pm

I agree!
Just for info: the “AVM FRITZ! SmartHome” extension works with a limited account, while the “AVM FRITZ! Box Tools” and “AVM FRITZ! Box Call Monitor” extensions don’t work with limited accounts, right?

somebody · June 24, 2022, 1:12pm

I can’t answer your question, because i don’t use the SmartHome functionalities from FritzBox.

Tobster77 · November 20, 2022, 8:31pm

That’s a very reasonable question. Would be great if this could be answered. Thanks a lot, guys!

Ness42 · April 2, 2023, 6:06pm

I would be interessted in this too. I would like to monitor which devices are connected without admin acces.

Red1 · October 25, 2023, 12:04pm

also interested in restricting the fritzbox user …

Atomschorsch · November 1, 2023, 12:13pm

I would also be interested in using a restricted, dedicated fritz box user.

mib1185 · August 31, 2024, 10:36am

Hi
what exactly do you mean with administrator rights? Do you mean the “FRITZ!Box Settings” (FRITZ!Box-Einstellungen) permission?

somebody · September 21, 2024, 8:01am

Hi there,

from the documentation of my fritzbox:

FRITZ!Box users can be created to set up the access options to settings or information of this FRITZ!Box from the home network individually for each user.

The integration should be able to use one of these users, instead of relying on the administration account which would normally be used to configure the box.

Hope that helps.

mib1185 · September 21, 2024, 9:23am

Hi,

the documentation of the AVM Fritz!Box Call Monitor explizit describe, how to add a dedicated user in the Fritz!Box. The documentation of the AVM FRITZ!Box Tools just describe, how you figure out, what you current admin user is called, but you still can user any other Fritz!Box user to setup this integration. Did you try it?

somebody · September 23, 2024, 3:05pm

Thanks for pointing that out: Call monitor works now with a non-administrative account. Not sure if this was already documented in '22.

For the Tools i would very much welcome it if they would be able to function with an user not allowed to change the configuration of the Box. For the integration there is an unknown error, if i use the same restricted account as for the call monitor.
I don’t know the specifications of the Box’s api so i can’t tell if it would be possible, for example, to use the device_tracker without this “configuration” right.

mib1185 · September 23, 2024, 6:50pm

Thanks for pointing that out: Call monitor works now with a non-administrative account.

you’re welcome

Not sure if this was already documented in '22.

It has been added to the docs in Feb’21 with #16510

For the integration there is an unknown error,

do you have any debug logs from this try with a non-admin user?

I don’t know the specifications of the Box’s api so i can’t tell if it would be possible,

I’ve already read the AVM tr-064 api docs. Unfortunatelly they only mention, that you’ve to use a login first for any api calls, but it is not mentioned, which permissions the user needs. So it might end up in a trail&error approach

somebody · September 29, 2024, 12:04pm

For the integration there is an unknown error,

do you have any debug logs from this try with a non-admin user?

2024-09-29 14:00:58.982 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 462, in _handle_request
    resp = await request_handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_app.py", line 537, in _handle
    resp = await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_middlewares.py", line 114, in impl
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/security_filter.py", line 92, in security_filter_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/forwarded.py", line 83, in forwarded_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/request_context.py", line 26, in request_context_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 85, in ban_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 242, in auth_middleware
    return await handler(request)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/headers.py", line 32, in headers_middleware
    response = await handler(request)
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/http.py", line 73, in handle
    result = await handler(request, **request.match_info)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/decorators.py", line 81, in with_admin
    return await func(self, request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/config/config_entries.py", line 222, in post
    return await super().post(request, flow_id)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/http/data_validator.py", line 74, in wrapper
    return await method(view, request, data, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/helpers/data_entry_flow.py", line 122, in post
    result = await self._flow_mgr.async_configure(flow_id, data)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 366, in async_configure
    result = await self._async_configure(flow_id, user_input)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 413, in _async_configure
    result = await self._async_handle_step(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 516, in _async_handle_step
    result: _FlowResultT = await getattr(flow, method)(user_input)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/fritz/config_flow.py", line 201, in async_step_confirm
    error = await self.hass.async_add_executor_job(self.fritz_tools_init)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/src/homeassistant/homeassistant/components/fritz/config_flow.py", line 99, in fritz_tools_init
    self._model = connection.call_action("DeviceInfo:1", "GetInfo")["NewModelName"]
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/fritzconnection/core/fritzconnection.py", line 456, in call_action
    return self.soaper.execute(service, action_name, arguments)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/fritzconnection/core/soaper.py", line 286, in execute
    return handle_response(response)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/fritzconnection/core/soaper.py", line 268, in handle_response
    raise_fritzconnection_error(response)
  File "/usr/local/lib/python3.12/site-packages/fritzconnection/core/soaper.py", line 191, in raise_fritzconnection_error
    raise exception(message)
fritzconnection.core.exceptions.FritzSecurityError: UPnPError: 
errorCode: 606
errorDescription: Action Not Authorized

Hope that helps.

mib1185 · September 29, 2024, 12:38pm

Since the “Action Not Authorized” already occur on the simple call_action("DeviceInfo:1", "GetInfo"), the user is probably too restricted. What exact permissions do this user have (or either have not)?

somebody · September 30, 2024, 7:56am

The user is configured as follows:

Authorizations
- FRITZ!Box settings
Users with this authorization can view and edit all settings of the FRITZ!

+ Voice messages, fax messages, FRITZ!App Fon and call list
Voice messages, received faxes and the call list can be listened to or viewed. FRITZ!App Fon can be used.

+ Smart Home
The FRITZ! actuators registered on the FRITZ! box can be switched on and off via MyFRITZ! access.

- Access to NAS content
Users with this authorization have access to the storage available on the FRITZ!Box: internal storage, connected USB storage and online storage.

- VPN
VPN connections to the FRITZ!Box can be established.

mib1185 · September 30, 2024, 9:12pm

So it seems there is no read-only option, just allow or deny access to the settings. So it is a limitation in the Fritzbox itself.

somebody · October 1, 2024, 3:53pm

If only i could read…
Sorry for the inconvenience.