Lovelace card security

turboc · March 26, 2019, 7:44pm

Lovelace cards should have an attribute specifying which security groups can see it. For example

      - entities:
          - entity: upstairs_bathroom_light
            group: upstairs_bedroom_1
          - entity: upstairs_bedroom_1_light
            group: upstairs_bedroom_1
          - entity: upstairs_bedroom_1_fan
            group: upstairs_bedroom_1
          - entity: upstairs_bedroom_2_light
            group: upstairs_bedroom_2
          - entity: upstairs_bedroom_2_fan
            group: upstairs_bedroom_2
          - entity: guest_room_light
            group: guests
          - entity: guest_room_fan
            group: guests
          - entity: game_room_light
          - entity: game_room_fan
        access:
          - group: upstairs_bedroom_1
          - group: upstairs_bedroom_2
          - group: guests
        type: glance

This would allow people assigned to the upstairs_bedroom_1, upstairs_bedroom_2, and guests groups access to this card. The groups on the entities restricts viewing the selection for each entity to the groups assigned to that entity. No group assigned makes it visible to anyone that can view the card.

eggman · March 26, 2019, 7:59pm

IMO security shouldn’t be dealt with in the front-end

jimz011 · March 26, 2019, 7:59pm

Isn’t this possible with the state-switch card? That way you could just display cards depending on who is logged in.

eggman · March 26, 2019, 7:59pm

display or hide, fine

turboc · March 26, 2019, 8:19pm

Probably could. But this should be standard functionality, not an addon that may be broken the next release when the-powers-that-be make a change that breaks it. The last release toasted my zwave, roomba, and ring environments. Finally got them working again with 90.1.

turboc · March 26, 2019, 8:20pm

Agreed, that was my suggestion. The frontend should control what is able to be seen/displayed.

turboc · March 26, 2019, 8:38pm

I looked at the state-switch and it seems it would require duplicating cards and entities multiple times for each user that has access. For example, my children each have access to the controls in the game room, but guest users do not. So I would have to duplicate all of the controls in the game room for each of my kids, but not for the guest user id. That could make for a lot of duplicate code. But if the devs would give us the ability to do an include in lovelace where we could put card sections in separate files, then the duplicate code wouldn’t be as much of an issue.

jimz011 · March 26, 2019, 8:42pm

That is true though, works perfect though. I use it to display remotes for my ATV. When ATV 1 starts playing it will automatically display the correct remote control. Though yes you will need to duplicate the code (however I believe there is a way to just use an already used card, but I haven’t looked into this yet). I also use it to color my buttons whenever a button is on. Whereas I used a custom button card before I use the core one now and this way I can color them (but a lot of code indeed).

Though I do not think this will be broken soon, and if it does I think it will be fixed quickly as Thomas Loven made a lot of these cards for Home Assistant and to my knowledge also contributes a lot to the core of Home Assistant.

turboc · March 26, 2019, 8:56pm

Watching the video, I agree, it’s a nice item. There are other places where I might use it. But with over 2000 lines in my lovelace file right now, I want to limit any more duplication than I have to. It’s already customized so that the ui editor doesn’t help. I have to use raw to configure it. Breaking up the lovelace file into manageable chunks should really be a high priority.

jimz011 · March 26, 2019, 8:58pm

Ooh, I have over 4000 lines haha. Currently working on simplifying my setup as it is too much details haha. But I get where you are coming from.

eggman · March 26, 2019, 9:22pm

That’s not security though. Just show / hide, security - what can or can’t be done is a backend thingy

turboc · March 26, 2019, 11:05pm

I’m asking that lovelace cards be changed to check if someone is in a group that has the ability to see items on a screen/tab. However you want to implement it, doesn’t make any difference to me. That’s for the devs to decide. I’m giving an example of a proposed implementation.

finity · March 27, 2019, 3:11am

You can already do that by using yaml mode. And since you are already using the raw config editor exclusively then you will gain the ability to use !include’s and lose nothing in the GUI editor except having to make extra clicks to open your config file in a text editor.

Sounds like a win-win.

Breadcrumbs · May 1, 2019, 3:23pm

Can you show a sample of your settings, with brake down of the yaml for lovelace?

finity · May 1, 2019, 6:36pm

You put the following in your configuration.yaml:

lovelace:
  mode: yaml

Then here is a truncated version of my ui-lovelace.yaml file:

resources:
      
  ## https://github.com/thomasloven/lovelace-card-tools
  - url: /customcards/lovelace/card-tools.js
    type: js
  
  ## https://github.com/thomasloven/lovelace-slider-entity-row  ##
  - url: /customcards/lovelace/slider-entity-row.js
    type: js
  
  ## https://github.com/bundito/radar-forecast
  - url: /customcards/lovelace/radar-forecast.js
    type: js
  
  ## https://github.com/ciotlosm/custom-lovelace/tree/master/entity-attributes-card
  - url: /customcards/lovelace/entity-attributes-card.js
    type: js
  
  ## https://github.com/custom-cards/tracker-card
  - url: /customcards/lovelace/tracker-card.js
    type: js
  
  ## https://github.com/custom-cards/vertical-stack-in-card
  - url: /customcards/lovelace/vertical-stack-in-card.js
    type: js
  
  ## https://github.com/rodrigofragadf/lovelace-cards/tree/master/tiles-card
  - url: /customcards/lovelace/tiles-card.js
    type: js
          
    ## https://github.com/finity69x2/Home-Assistant/tree/master/www/lovelace
    ## https://community.home-assistant.io/t/lovelace-state-card-example/68318
  - url: /local/lovelace/fan-control-entity-row.js
    type: js
    
  ## https://github.com/iammexx/home-assistant-config/tree/master/ui/darksky
  - url: /customcards/lovelace/dark-sky-weather-card.js
    type: module
  
  ## https://github.com/maykar/lovelace-swipe-navigation
  - url: /local/lovelace/lovelace-swipe-navigation.js?v=1.0.0
    type: js
    
title: Home Assistant (NUC)
views:
  - !include '/config/lovelace_views/lovelace_main_view.yaml'
  - !include '/config/lovelace_views/lovelace_media_view.yaml'
  - !include '/config/lovelace_views/lovelace_environment_view.yaml'
  - !include '/config/lovelace_views/lovelace_automations_view.yaml'
  - !include '/config/lovelace_views/lovelace_system_view.yaml'
  - !include '/config/lovelace_views/lovelace_zwave_view.yaml'
  - !include '/config/lovelace_views/lovelace_security_view.yaml'
  #- !include '/config/lovelace_views/lovelace_space_view.yaml'
######################################################################################################

you can use !include with the resouces section, too, but I didn’t see the benefit in that.

then as a truncated example of my main tab (lovelace_main_view.yaml):

title: Main
#background: center / cover no-repeat url("/local/background_dark_1.jpeg")
#icon:
#badges:
cards:
  - type: entity-filter
    show_header_toggle: false
    show_empty: false
    card: 
      type: glance
      #title: People at home
    state_filter: 
      - "on"
    entities:
      - binary_sensor.ha_update_avail_template
      - binary_sensor.potential_breaking_changes
      - binary_sensor.haapi_mqtt_test
      - input_boolean.low_batteries
  - type: 'custom:home-feed-card'
    title: Notifications
    show_empty: false