WTH: Why is there no enhanced and efficient access control for lovelace VIEWS?

Currently a quite effective access protection is possible by restricting access to certain lovelace dashboards.

When it comes to views, the current situation unfortunately is:

  • once a user knows the navigation path (the URL like e. g. /lovelace/server-mgmt), (s)he can access that view if it is part of a dashboard (s)he is allowed to access.
  • so it’s a common misconception of people thinking, that ticking the boxes in the individual view settings is really blocking users of accessing this view.
    In other words: this is not far away from something like “security by obscurity”

Trying to initially hide that navigation path in the UI is possible e. g. using GitHub - iantrich/restriction-card: 🔒 Apply restrictions to Lovelace cards, but is a) quite some work and b) not very efficient cause it’s just a workaround for a root cause.

I would be happy if users with a disabled view access configuration are presented with a “Uh uh uuuh, nothing for you to see here is, go back you can!” yoda style page. Just kidding, fine with any other non-yoda-based improvement here too :wink:

Please search before you create a WTH.