mirror of https://github.com/Lissy93/dashy.git
📝 Writes docs for granular auth access
This commit is contained in:
parent
78e1fc6c94
commit
eca0c44320
|
@ -39,6 +39,33 @@ Once authentication is enabled, so long as there is no valid token in cookie sto
|
|||
## Enabling Guest Access
|
||||
With authentication setup, by default no access is allowed to your dashboard without first logging in with valid credentials. Guest mode can be enabled to allow for read-only access to a secured dashboard by any user, without the need to log in. A guest user cannot write any changes to the config file, but can apply modifications locally (stored in their browser). You can enable guest access, by setting `appConfig.enableGuestAccess: true`.
|
||||
|
||||
## Granular Access
|
||||
You can use the following properties to make certain sections only visible to some users, or hide sections from guests.
|
||||
- `hideForUsers` - Section will be visible to all users, except for those specified in this list
|
||||
- `showForUsers` - Section will be hidden from all users, except for those specified in this list
|
||||
- `hideForGuests` - Section will be visible for logged in users, but not for guests
|
||||
|
||||
For Example:
|
||||
|
||||
```yaml
|
||||
- name: Code Analysis & Monitoring
|
||||
icon: fas fa-code
|
||||
displayData:
|
||||
cols: 2
|
||||
hideForUsers: [alicia, bob]
|
||||
items:
|
||||
...
|
||||
```
|
||||
|
||||
```yaml
|
||||
- name: Deployment Pipelines
|
||||
icon: fas fa-rocket
|
||||
displayData:
|
||||
hideForGuests: true
|
||||
items:
|
||||
...
|
||||
```
|
||||
|
||||
## Security
|
||||
Since all authentication is happening entirely on the client-side, it is vulnerable to manipulation by an adversary. An attacker could look at the source code, find the function used generate the auth token, then decode the minified JavaScript to find the hash, and manually generate a token using it, then just insert that value as a cookie using the console, and become a logged in user. Therefore, if you need secure authentication for your app, it is strongly recommended to implement this using your web server, or use a VPN to control access to Dashy. The purpose of the login page is merely to prevent immediate unauthorized access to your homepage.
|
||||
|
||||
|
|
Loading…
Reference in New Issue