Import rules by rest api

I have multiple wind turbines which are publishing data on multiple mqtt topics and using function node I am able to apply rules to filter that data and again publishing that filtered data on different mqtt topics in node red.
But my concern here is,I am able to apply the rules as a developer but if an end user wants to apply or change the specific rule,how he can change that as he doesn't have knowledge of node red.
Is there any way to call rest-api in node which would send the rules along with it(by user-interface) red and apply or replace the existing rule.
I have successfully called rest-api and got the "hello" message but how can I replace the existing function rule by that msg?

What sort of things do you want the user to able to specify? Does he/she need the ability to provide replacement javascript code for the function node or just to provide some parameters for it?

1 Like

Hi @Colin Thanks for replying
see the data is coming through mqtt node and the filter(function) is been applied to filter data.
Suppose the data is coming in every 20 seconds and I am filtering it per 60 seconds and pushing the average values.
Now if the end user want to change this rule and he wants it to filter per 120 seconds or he wants the sum of datapoints instead of average.But he cannot modify the JS rule coz he is end-userand not a developer.
So i want to create an UI using which the end user can apply his own rules and the rules will be sent by rest-api to node-red and the existing rule would be replaced by user rules

Have you checked out node-red-dashboard or node-red-contrib-uibuilder yet? These are both nodes that allow you to create a UI, where the Dashboard is batteries included, and Uibuilder allows you to create specific interfaces from (near) scratch.

1 Like

As @afelix says, take a look at the dashboard project, with which you should be able to create something that someone of any gender can use.


Another alternative might be to use a database as an intermediary. By pushing your base data to InfluxDB for example (a timeseries database), you can create really good dashboards using Grafana which has visual help for building queries against the database. InfluxDB allows you to pretty easily manipulate the timeseries and it becomes pretty trivial to change from per second to per hour or day averages (with max/min as well if you like).

Users would still need some skill in building the queries visually but it isn't that hard once you have the basics in place.

The problem with doing things like this in Dashboard or uibuilder is the shear number of variables you have to think about and program into the interface. If you can reduce those to a minimum, it wouldn't be so bad.


Perhaps you could identify a fixed set of rules for your use-case that the end user is able to choose from. These different classes of rules could each provide a set of parameters that could be modified by the end user.

For example your filter function would be one kind of rule, taking the duration as parameter.

Just a thought. :slightly_smiling_face:


Hi @Colin yes he/she needs the ability to provide whole replacement javascript code for the function node

Then you would need to set the JS code via message property, but that is not supported by the default function node at the moment. And that could also be dangerous regarding security. :thinking:

1 Like

And in the end you will end up with a software system, that allows the users to easily configure rules using JS code.

I think I know of a software that already provides that kind of functionality, it is called Node-RED. :see_no_evil:

Basically, what you need would be per-node access rights, so the user could only edit specific function nodes. :thinking:

You would have to consider what would happen if the user entered code that caused node-red to crash or hang. That would take down your whole system.

What I believe the question was here is to have the full/partial part of the code inside the function node be changed, so not just incoming values, but the actual code. Sounds like something that can be done by running eval() calls inside the function node, but if you actually want to/should do that is a huge question, especially as those would be incoming from external requests/external code. If that external part gets compromised, you're giving your system away.

Can you explain what kind of rules or external code you are talking about, or in more detail what kind of functionality you want to have changed? There must be a far better way to do this than what you are asking to do.

1 Like

Yes, I believe executing external code would be... unwise...:slightly_smiling_face:

Thinking of for (;;) {}.... that's a killer app. :smiling_imp:


Once again, please keep everything in the same thread please...

So your “rules” as you call them are JavaScript code that run manipulations on the messages. Have you thought of a way you can abstract those rules so that only specific variables change, or code is conditionally executed instead? You mention that you don’t want end users to have to dive into the flows and edit specific nodes, but based on this you still want them to write code.

Especially with the “wind farms over MQTT” from the first post this suggests that it’s an industrial project of a kind, a SCADA system potentially. By having your users execute arbitrary JavaScript code through those “rules” you are opening your industrial system to (remote) code execution. In regular situations code execution vulnerabilities are already pretty bad. On an industrial scale however, it’s horrible. I’ll be removing the post with the flow I posted yesterday in a moment so it cannot be utilised for this.

Please specify carefully why you need your rules like this, and why a setup with a user interface where specific parameters are changed won’t work for your situation. And keep in mind that what you might think is the road of least resistance (importing code through API calls/webhook callbacks, then executing those) comes with HUGE security risks, especially on an industrial scale/SCADA systems. Going this route might even cause mire problems on a long term scale.

My suggestion would be to go back to the drawing board and come up with a way where you get the functionality you need, without what you are asking for here. Do not try to import full “rules” as you call them, but work it out more carefully.


I thought about saving myself allot of time by allowing this once. ......don't do it.

This video gives a great example of why you don't let users send code that will run.