Logbook Access now restricted to admin (v0.112.2) - logged Websocket API error

TazUk · July 5, 2020, 4:19pm

I’ve happened to notice that my non-admin user account cannot access the logbook (via either the mobile app on Android or using Chrome with the same user).

I believe this has come about recently, possibly with the update to 0.112.x (although i cannot be 100% sure).

I get an error logged:

Logger: homeassistant.components.websocket_api.http.connection.139629326808784
Source: components/websocket_api/connection.py:97
Integration: Home Assistant WebSocket API (documentation, issues)
First occurred: 17:16:06 (1 occurrences)
Last logged: 17:16:06

Error handling message: Unauthorized

I’ve not seen any changes in the documentation or the release notes to suggest this was expected, and the Logbook sidebar menu item is still offered to non-admin users.

History seems unaffected.

SeanM · July 5, 2020, 4:25pm

Yeah, this was an unintentional bug that is being fixed.

The Logbook now shows which user who made the change such as “Living Room Light turned on (Suzy)”, but it used an admin-only API to retrieve that user info.

It’s being updated to use Persons instead of Users, which will make it work for all account types.

TazUk · July 5, 2020, 4:27pm

Figured as much, after the great turbocharging work in that area for this release.

Thanks for the quick clarification.

lishan89uc · August 9, 2020, 7:49am

@SeanM is it possible to make this bug a feature? I would love to make a user unable to access logs, history, or map.

SeanM · August 12, 2020, 8:08am

Enhanced permissions (ACL system) is planned, but will likely take a while as there’s a significant amount of work involved, and other things have priority at the moment.

But you can sort of do what you want with Custom Sidebar by Villhellm. That has an “exceptions” feature where you can hide sidebar items from certain user accounts. I’m pretty sure it simply removes it from the sidebar though - if the user knew the URL(s) they’d still be able to type it in and access those pages directly.

TazUk · April 13, 2021, 4:54pm

Sorry to necro the thread, but it looks like this has returned with 2021.4.4 unless I’m mistaken?
Raised as Issue 49180

Logger: homeassistant.components.websocket_api.http.connection
Source: components/websocket_api/connection.py:131
Integration: Home Assistant WebSocket API (documentation, issues)
First occurred: 17:33:40 (1 occurrences)
Last logged: 17:33:40

[140501300083728] Error handling message: Unauthorized

Jedrek · April 18, 2021, 3:16pm

I have the same problem after the April updates, a non-admin user cannot access to the logbook.
The previous condition was very good because users who were not administrators could view the history of events from logbook. I am waiting for the next update that will fix this error

Jedrek · April 19, 2021, 7:47pm

Unfortunately, today’s update (core-2021.4.6) did not solve the problem. Still a non-admin user cannot access to the logbook. I have a message in my log:
ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [140555355526384] Error handling message: Unauthorized

TazUk · April 19, 2021, 7:55pm

I’d suggest subscribing to updates on the related GitHub issue to get a notification when the issue is resolved.