I've got the following use case: I would like to have a user which is fully capable to interact with the dashboard, while any real adaptions on the flows should not be permitted.
According to Securing Node Red I created a default user that has only read options for the flow, and another Pw user that has full access.
No what I've got is: The flows are readable but not adaptable. Meaning I can see everything but not deploy changes. However, if I try to access the dashboard a login is required. I was hoping that in this case no login is required to access the dashboard.
Is there any option to realize what I am trying to achieve? So no password for accessing the dashboard ui, but a password to adapt the flows? - Just to be clear on that: I do not need more than one user, just a "not signed in" and a "signed in" behaviour.
Also I've got one additional question that just concerns node-red security itself: Is there a permission that may let the user check the flow itself, but not the contents of each node? Since some config nodes contain passwords that would also be great.
No, the permissions are not that fine grained. However, it should also be the case that nodes that contain passwords have properly flagged them as credentials. Any credential type property are never returned to the editor after they have been set - they simply don't appear in the flow json the editor loads. So it is not possible for any user, read-only or otherwise, to get access to passwords after they have been set.
If you know of any config nodes that do still expose the password after it has been set (and the editor itself reloaded), then please let us know - or better yet, raise an issue on the node so it can be updated to follow the proper practices.
Ok thanks for the hint. I passed user information to subflows via params, which is where the passwords got stored. I now store all passwords directly in the nodes, and I realized that the credentials of the nodes I use are properly secured. Thanks.
