Securing Tab with Password

Hello,

i try to secure a tab on my Dashboard so only the person that knows the password could work on it.

my flow for that:

[
    {
        "id": "fe447904.ed3c58",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Statuswarnung",
        "func": "msg.payload = \" Dieses Dashboard ist zu Aufzeichnungszwecken gesichert.\" +\"<br>Die Benutzung ist nur mit einem Passwort möglich\"+\"<br> Mit freundlichen Grüßen\"+\"<br> Chorum\"\nreturn msg;",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 2200,
        "y": 160,
        "wires": [
            [
                "e8316994.2e51c",
                "ed95e50b.e73a3"
            ]
        ]
    },
    {
        "id": "e8316994.2e51c",
        "type": "ui_toast",
        "z": "923d648e.9f25f8",
        "d": true,
        "position": "prompt",
        "displayTime": "3",
        "highlight": "",
        "sendall": true,
        "outputs": 1,
        "ok": "Zur Kenntnis genommen",
        "cancel": "Cancel",
        "raw": true,
        "topic": "",
        "name": "",
        "x": 2410,
        "y": 160,
        "wires": [
            [
                "6873c934.b29178",
                "c9b789c9.04423"
            ]
        ]
    },
    {
        "id": "6873c934.b29178",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2570,
        "y": 200,
        "wires": []
    },
    {
        "id": "c9b789c9.04423",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Rückleitung",
        "func": "if(msg.payload == \"Daniela\"){\n    \n}else{\n    msg.Label = '<a  href=\"http://http://url:1880/ui/#!/2\"  >Consulter</a>'\n    msg.name = \"\"\n    return msg;\n}\n",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 2590,
        "y": 160,
        "wires": [
            [
                "db68598e.236ce8",
                "4dc4b335.639a54"
            ]
        ]
    },
    {
        "id": "db68598e.236ce8",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2790,
        "y": 160,
        "wires": []
    },
    {
        "id": "ac13efd9.0ad9e",
        "type": "ui_ui_control",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "events": "all",
        "x": 1680,
        "y": 160,
        "wires": [
            [
                "aa19f118.d96f",
                "ea5e681e.273a28"
            ]
        ]
    },
    {
        "id": "aa19f118.d96f",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 1850,
        "y": 200,
        "wires": []
    },
    {
        "id": "ea5e681e.273a28",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Gesperrte Dashboards detecktieren",
        "func": "var name = msg.name\n\n\nif(name == \"Multiscreensetup\" || name == \"W17Kamera\"){\n    return msg;\n}else{\n    \n}\n",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 1940,
        "y": 160,
        "wires": [
            [
                "fe447904.ed3c58",
                "c9295c6a.c19e08"
            ]
        ]
    },
    {
        "id": "c9295c6a.c19e08",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2170,
        "y": 200,
        "wires": []
    },
    {
        "id": "ed95e50b.e73a3",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2390,
        "y": 200,
        "wires": []
    },
    {
        "id": "4dc4b335.639a54",
        "type": "function",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "Leer",
        "func": "\nreturn msg;",
        "outputs": 1,
        "noerr": 0,
        "initialize": "",
        "finalize": "",
        "x": 2190,
        "y": 40,
        "wires": [
            [
                "ac13efd9.0ad9e",
                "d8fe7823.b16228"
            ]
        ]
    },
    {
        "id": "d8fe7823.b16228",
        "type": "debug",
        "z": "923d648e.9f25f8",
        "d": true,
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "true",
        "targetType": "full",
        "statusVal": "",
        "statusType": "auto",
        "x": 2450,
        "y": 40,
        "wires": []
    }
]

my problem is the cancel option. it should reload the page or link to another tab.
but both variants are not working.

maybe someone else can see what i am doing wrong ?

Dearly
Chorum

PS: i tested show/hide with ui_control with that payload:
ui_control_hide_show

that test is on an other tab for testing.
but nothing is hided :frowning:

Mhmm solved the problem.

i used a simple change node and sended a simple number for aiming to the new tab.
so there is a password protection now :slight_smile:

You realise, I suppose, that you haven't actually "secured" anything?

Because Dashboard is a single-page app, everything is still loaded to the browser and anyone with any knowledge at all could get to the information.

The use case is in an internal network and the main function is to keep user away from the tab where they could use switches and sliders and so on.

Its not about securing information, its about preventing access to function elements :slight_smile:

and every normal user (what is the main user group in that network) cant reach all the switches and sliders and cant see what they shouldnt see...

With using only the Dashboard i cannot reach the secured tab...

Just so long as people don't think that this is a generic security solution. :skull_and_crossbones: :grinning:

On all browsers, the dev tools are a single button click or menu selection away and that will show everything and give access to change any of the switches as well.

ok, but most users in that group do not know that there are dev tools :slight_smile:

i will think about other ways later (ldap+reverse proxy, ip filter, perhaps other things) but this is a working solution and i dont want to " shoot sparrows with a cannon " at the moment

I can see that this is a useful feature.

When more dashboards are used for end products, then this becomes very useful to protect some mission critical operations. For example, system maintenance tab can only be operated by managers.

You see, that is exactly why I commented above.

If you come across this thread - please make sure that you understand the proposed approach above can NEVER be more than security theatre.

The Dashboard is a single-page app. It loads everything into your browser when you access it. Including the "protected" tab - whether you have "access" or not. Therefore anyone with even the slightest knowledge can access what you have tried to protect.

The only way to actually protect data in a Dashboard is to never send it in the first place until after some kind of authentication and authorisation has taken place - in Node-RED, not in the browser.

Of course I am aware of this.

I was commenting that securing tab with password is a useful feature.

It would be nice to have this feature implemented in a secure way down the road.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.