[QUESTION] Make config.yml inaccessible from browser #1691
Comments
The issue is that in Dashy, all pages are rendered client side. Hence, the browser needs to have the configuration file in order to render it. One solution could be to implement a page protection system, making some ressources only reachable by authorised users. But implementing this could be very hard, Dashy currently does very few server side checks. Implementing this solution would be a very positive income for the whole project since it would also allow other issues to be solved (for example, the ability of having guest users with OIDC). |
liss-bot
added
the
👤 Awaiting Maintainer Response
Question
Hello there !
I'm new to Dashy, and I love it. I'm testing the authentification system and something is annoying me.
I particularly like the authentication system and the ability to show or hide certain elements to guests or authenticated users.
For example, I can include a section with bookmarks to local IPs that I don't want displayed to just anyone, that's great.
But one detail bothers me: even if I decide to hide these sections, their content can still be easily consulted by a guest. Either from the main menu, by clicking on the name of the configuration file at the bottom of the popup, or by directly opening the address
my.dashboard.com/config.yml.Hiding or not hiding these elements is only aesthetic and does not protect them.
I've already added a bit of CSS to hide the link in the menu, but that doesn't solve everything.
I feel like I'm missing something: is there a way to make the contents of this file inaccessible to non-admin users and guests? Without cutting off the possibility of consulting/editing the configuration from the UI for an administrator.
Have a nice day !
Category
Authentication
Please tick the boxes
The text was updated successfully, but these errors were encountered: