Hidden flows, nodes, locked subflows

I am new on the forum but working with Node-red for about 4 years. I am very happy to see lots of improvements during this time. I would like to ask for suggestions regarding some features I still miss and also see whether already planned developments can solve my problems in the near future.
My use case is an IoT extension for measuring systems (mainly weighing systems) with or without touchscreen interface. I list some important things for better understanding what I want and why.

  1. The core functions are implemented as NR flows. These should be hidden for the user by all means.
  2. NR editor with a ’playground’-palette is open for the user making him able to customize and extend some functionality of the core system (i.e. define logic rules how outputs behave, forward alarm status to email etc.)
  3. Nodes in this ’playground’ should work in an intuitive way without deeper knowledge about msg object, javascript coding, node.js etc. Similar way like wiring a slider and a gauge node dashboard. It works without manipulating messages…

To achieve 1. and 2. it would be fine to have some possibility to hide flows in the editor or at least lock them (maybe by defining optional permissions on a per flow basis in settings.js ?). Currently I run two instances of NR (the second one as the mentioned playground) and establish connection between them through TCP sockets/ RAM mounted file / MQTT whatever. This way I can hide the core system. Is there any other choice to block access to certain flows?
To achieve 3. I have to offer a customized palette showing only those nodes which can be suitable elements of the ’playground’. These nodes can be standard nodes, subflows (I am happy that subflow features are getting better and better), own implementations (nodegen is a great help, I wish it could eat subflows as well..) It is sure that I need to remove nodes from the palette but without deleting or disabling them. As far as I know it is not possible at the moment. My current workaround is that I remove them from the editor in CSS. Something like

#palette_node_websocket_in {
This hacking is far from perfect solution. Is there any better choice?

This sounds like a security nightmare, as you have a running flow that you couldn't see and had no control of.

At least when someone was mining cryptocurrency using unsecured Node-RED instances they could easily see that they had been hacked. If this was implemented in the core Node-RED you could be hacked and there would be no easy way to see.

If someone has access to edit settings.js and can set a flow hidden, he can probably do a couple of other things as well on that machine...

1 Like

Lol, the ‘fork’ button was specifically made for you :wink: