I wanted to give a non-admin user a very restrictive access to Home Assistant.
I already have seen the Tabs in Lovelace having Visibility setting
- I created a non-admin user
- I turned off the visibility of each and every Tab for this user
- I created a new Tab, and allowed the visibility, and placed the things I wanted to expose.
- Launched a new browser in private mode and logged in as this user.
Tab wise everything was good, however on the side panel I saw that the user had visibility to
- Map
- Logbook
- History
I naively thought that there should be a way to hide those as well,
Well apparently not, many threads and many users brought up the point , and they were all pointed to default_config settings, which interestingly I never set, in fact I grep-ed my HomeAssitant folder for that string and the only place I found was in frigate component.
Seriously, what business does regular (restricted) users have in seeing Map, History or Logbook, which shows everything, what is the point of restrictive access?
Next I jumped on discord to see if I was missing something obvious, as I couldn’t fathom that such an amazing software, wouldn’t have a way.
SadPanda on discord kindly suggested that I look into kiosk_mode which worked well and hid the side panel completely.
Until he also mentioned about “locking yourself out and not being able to edit the lovelace dashboard” if this happens to use: ?disable_km=&edit=1
This is what I believe is the Security Concern.
using the parameter edit=1 even as a restricted user, grants full lovelace visibility to the user, all Tabs become visible
I understand the need to have some kind of a fallback protection, but why is that not limited to admins only?
Why a non-admin would have such access.