Add permission checks to Rest API #18639
Conversation
ghost
assigned 
balloob
force-pushed
the
perm-states-view
branch
from
72d28f4 to
4a7d647
Compare
|
Can we put Hass.io user first into admin group? |
|
After this PR we can also start to remove the legacy API password :P |
|
This should not be a breaking change. I'll fix the Hass.io user and put it in the admin group. After that it should not be one? |
|
Updated so that Hass.io component migrates existing user to admin and new users will also be created as admin. |
|
All script they use new long live token doesn't work anymore if they create it with none admin users -> breaking changes? Also scripts with old API token system. That affected a lot of installations. |
balloob
force-pushed
the
perm-states-view
branch
from
a84ca6d to
a38213a
Compare
|
All existing users are part of the admin group. Only system users were not automatically migrated but that's only needed for Hass.io, which I have added. |
|
About removing the legacy API password -> we need to update all HTTP tests to be using access tokens first… |
* Add permission checks to Rest API * Clean up unnecessary method * Remove all the tuple stuff from entity check * Simplify perms * Correct param name for owner permission * Hass.io make/update user to be admin * Types
Description:
This adds permission checks to the Rest API.
Since a lot of these APIs directly touch the core pieces of HA, they are limited to admin only (updating states, streaming all events, rendering arbitrary templates).
Checklist:
tox. Your PR cannot be merged unless tests passIf the code does not interact with devices: