Uibuilder uibindex not working

So for anyone following along, I believe that this is going to be related to having installed uibuilder with npm install node-red-contrib-uibuilder -g. This is an untested configuration and not recommended.

I think what is happening is that the user running Node-RED doesn't have the right permissions to all the files it needs. However, I may be wrong. The easiest way to check would be to:

sudo chown root:users /usr/lib/node_modules/node-red-contrib-uibuilder

Actually you can use pi:pi if running on a Pi, as long as either the user or group relates to the user running Node-RED, it should let us understand whether this is actually the issue.

Another thing to try would be to manually call the index URL with the parameter ?type=json on the end. This uses different code which I think should work since it doesn't touch the filing system.

One other thought is whether you have specified fine-grained permissions for Editor users? If you have, then you would need to add uibuilder.read to the list of permissions.

Oh yes, I install most uibuilder module with npm -g , I will try to install a local module and see if this issue still persist ..

Does installing a local module over-ride the global module ???

Thanks

I've completely removed the global version at /usr/lib/node_modules and install a local version at .node-red

Now all the node_modules are located at .node-red/node_modules

uibindex is still giving same error messages, I also cannot do ?type=json

I m running Node-red version 1.0.2

One other thought is whether you have specified fine-grained permissions for Editor users? If you have, then you would need to add uibuilder.read to the list of permissions.

Where do I change this settings for uibuilder.read ??

Try adding the defualt permissions to settings.js:

adminAuth: {
    type: "credentials",
    users: [ /* list of users */ ],
    default: {
        permissions: "read"
    }
}

Or indeed, removing them temporarily to see if that fixes the issue :grinning:

// Securing Node-RED
    // -----------------
    // To password protect the Node-RED editor and admin API, the following
    // property can be used. See http://nodered.org/docs/security.html for details.
    adminAuth: {
        type: 'credentials',
        //sessionExpiryTime: 86400, // in seconds
        default: {
            permissions: ['*'],
        },
        users: [
            {
                username: 'admin',
                password: 'dummy', //dummy
                permissions: ['*'],
            },
            {
                username: 'random',
                password: 'dummy', //dummy
                permissions: ['uibuilder.read'],
            },
        ],
    },

The above gives all permissions by default to all users.

Right, you could restrict it to uibuilder:

        default: {
            permissions: "uibuilder.read"
        }

Tried both methods, still not working ... :frowning:

Some more Infos would be helpful:

OS version
Node-red version
uibuilder version
settings.js

1 Like

Ubuntu 16.04
NR 1.0.2
node-red-contrib-uibuilder@2.0.7

settings.js everything default :

adminAuth: {
    type: "credentials",
    users: [{
        username: "admin",
        password: "#######",
        permissions: "*"
    }]
},

What happens if you comment out the adminAuth in settings.js?

The issue here is that it is Node-RED itself that is applying the security and not uibuilder. All I do is specify an option as documented in the Node-RED docs.

On line 1238 (in the security branch, may be a different line number in the master branch):

RED.httpAdmin.get('/uibindex', RED.auth.needsPermission('uibuilder.read'), function(req,res) {

So if Node-RED security is working as expected, I would think this would as well.

  • Are you logged in to the Editor with the admin user when trying to access the uibindex page? Otherwise, Node-RED is not going to apply those permissions. Remember that the uibindex page uses the Editor's permissions.

  • Are you using https?

  • Do you have the CORS settings set?

  • Are you able to request the page from the command line on the same device as Node-RED using curl/wget? What errors are you getting?

If you turn the Node-RED logging up to trace you will see a lot of output from uibuilder (and sadly from everything else as well!) which may present other clues.

Yep that works...
I have the same problem as described here by stanleyseow and without adminAuth I can now see the iubindex page.

I'm quite sure that this also works:

        default: {
            permissions: "uibuilder.read"
        }

Yes it does indeed. Thanks!

So if you use the other example:

adminAuth: {
    type: "credentials",
    users: [{
        username: "admin",
        password: "#######",
        permissions: "*"
    }]
},

Can you confirm that you are able to use it if you are logged in to the Editor as user admin? Because you should be able to.

If you can't then I need to raise it with Nick/Dave.

Found a bit of time to do some testing of my own.

I have to say that I don't think the admin API security works as I expected it to.

Take the following settings:

    adminAuth: {
        type: "credentials",
        users: [
            {
                username: "admin",
                // `reader`
                password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
                permissions: "*"
            },{
                username: "reader",
                password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
                permissions: "read"
            },{
                username: "uibreader",
                password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
                permissions: "uibuilder.read"
            },
        ],
    },

Log in to the Editor using the admin user id and password reader. Open the uibuindex page - everything works as expected. Now log out and log in with the uibreader account, same password. It looks like the login fails (with no error msg), don't worry about that, reload the uibindex page and you will find that it works.

Now login with the reader id (same password again). Try reloading the uibindex page and you will find that it fails.

This is NOT what I expect to happen. I expected that the read permission would take preference over the uibuilder.read - in other words that read would encompass all read permissions.

Even less sense. If you change your settings to the following and restart Node-RED:

    adminAuth: {
        type: "credentials",
        default: {
            permissions: "read"
        },
        users: [
            {
                username: "admin",
                // `reader`
                password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
                permissions: "*"
            },{
                username: "reader",
                password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
                permissions: "read"
            },{
                username: "uibreader",
                password: "$2a$08$wmsrXbrhacO5v15.vr/jWOk54pRcbqWdOljStdMycrnFbYF.kTctu",
                permissions: "uibuilder.read"
            },
        ],
    },

Now log in again using the reader id. Now the uibindex page DOES load. That appears to be inconsistent to me - perhaps I'm missing something?

Oh dear, it gets worse.

If you use:

permissions: ['*'],

That doesn't work either. And neither does:

permissions: ['*','uibuilder.read'],

From here:

From Node-RED 0.14 the permissions can be much finer grained and to support that, the property can either be a single string as before, or an array containing multiple permissions.

So I think that last one should have worked?

The following does however work which again illustrates (I think) inconsistent behaviour:

        default: {
            permissions: ['*'],
        },

This also works:

        default: {
            permissions: ['uibuilder.read'],
        },

So for now, the workaround is to include a default that incorporates either *, read or uibuilder.read depending on your security needs for the Editor interface.

Ok this works...

I'm wondering why this works for you:

default: { permissions: ['uibuilder.read'], },

but this doesn't:

default: {
   permissions: "uibuilder.read"
}

See also the Node-Red doc:

Securing Node-RED