Security concern `?edit=1`

I wanted to give a non-admin user a very restrictive access to Home Assistant.
I already have seen the Tabs in Lovelace having Visibility setting

  • I created a non-admin user
  • I turned off the visibility of each and every Tab for this user
  • I created a new Tab, and allowed the visibility, and placed the things I wanted to expose.
  • Launched a new browser in private mode and logged in as this user.

Tab wise everything was good, however on the side panel I saw that the user had visibility to

  • Map
  • Logbook
  • History

I naively thought that there should be a way to hide those as well,
Well apparently not, many threads and many users brought up the point , and they were all pointed to default_config settings, which interestingly I never set, in fact I grep-ed my HomeAssitant folder for that string and the only place I found was in frigate component.

Seriously, what business does regular (restricted) users have in seeing Map, History or Logbook, which shows everything, what is the point of restrictive access?

Next I jumped on discord to see if I was missing something obvious, as I couldn’t fathom that such an amazing software, wouldn’t have a way.

SadPanda on discord kindly suggested that I look into kiosk_mode which worked well and hid the side panel completely.
Until he also mentioned about “locking yourself out and not being able to edit the lovelace dashboard” if this happens to use: ?disable_km=&edit=1

This is what I believe is the Security Concern.
using the parameter edit=1 even as a restricted user, grants full lovelace visibility to the user, all Tabs become visible
I understand the need to have some kind of a fallback protection, but why is that not limited to admins only?
Why a non-admin would have such access.

5 Likes

I’ve just been setting up home assistant too and would like to give non-admin users are very limited views and controls of devices.

For a home automation product with potential access to door locks and powered devices I would have thought security and access restrictions would be a top notch requirement.

Very concerning.

If you feel this is issue maybe should post in home assistant GitHub?

Maybe you get response there

I posted it in Github as suggested.
And here’s the response I got from Frenck.

This is not a bug; it is even documented as such:
Authentication - Home Assistant
It is a visual difference, not a security feature.