Should service "cast.show_lovelace_view" be admin-only?

There seems to be a user permission issue…

I have Google-assistant as a user without admin rights dedicated to Google Assistant.

I’ve wrote the a script exposed to Google assistant using “Activate kitchen dashboard” phrase to run this script. The script is confirmed working via UI using my owner admin account.

But when calling it through Google Assistant, I get the following error:

2021-03-31 10:56:45 INFO (MainThread) [homeassistant.components.script.cast_kitchen_display_action] cast_kitchen_display_action: Executing step call service
2021-03-31 10:56:45 ERROR (MainThread) [homeassistant.components.script.cast_kitchen_display_action] cast_kitchen_display_action: Error executing script. Unauthorized for call_service at pos 1: Unauthorized
2021-03-31 10:56:45 ERROR (MainThread) [homeassistant] Error doing job: Task exception was never retrieved
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/helpers/script.py", line 1041, in async_run
await asyncio.shield(run.async_run())
File "/usr/src/homeassistant/homeassistant/helpers/script.py", line 254, in async_run
await self._async_step(log_exceptions=False)
File "/usr/src/homeassistant/homeassistant/helpers/script.py", line 262, in _async_step
await getattr(
File "/usr/src/homeassistant/homeassistant/helpers/script.py", line 463, in _async_call_service_step
await service_task
File "/usr/src/homeassistant/homeassistant/core.py", line 1488, in async_call
task.result()
File "/usr/src/homeassistant/homeassistant/core.py", line 1523, in _execute_service
await handler.job.target(service_call)
File "/usr/src/homeassistant/homeassistant/helpers/service.py", line 708, in admin_handler
raise Unauthorized(context=call.context)
homeassistant.exceptions.Unauthorized: Unauthorized

However, setting Google-assistant user account to be Administrator does not give the error and works perfectly.

Purpose of this thread

  • Should Cast be an admin-only function?
  • What level of permission should we give to voice assistants?
  • Any concern in enabling admin for Google assistant?

My answer to first 2 are: No, cast should be available to all users. All users should always have lowest possible permission setting.

Have just hit this same problem trying to cast from a user.
I believe users should be able to, they can already view the content so why not allow them to cast it too.

Raised a github issue for this.
Users unable to call service cast/show_lovelace_view · Issue #9884 · home-assistant/frontend (github.com)

1 Like

I was in the same situation and created a restful command for it.

  1. As an administrator, issue a long-live access token
  2. Create a restful command in the configuration.yaml:
rest_command:
  privileged_show_lovelace_view:
    url: http://localhost:8123/api/services/cast/show_lovelace_view
      method: post
      headers:
        authorization: !secret api_admin_showlovelaceview_token
      content_type: "application/json; charset=utf-8"
      payload: '{
          "entity_id": "{{ entity_id }}",
          "dashboard_path": "{{ dashboard_path }}",
          "view_path": "{{ view_path }}"
        }'
  1. Put the issued token in the secrets.yaml
  2. In the cards’ YAML, replace all cast.show_lovelace_view to rest_command.privileged_show_lovelace_view

This should allow non administrators to cast dashboard views now.

1 Like