[BUG] I can edit the whole config even i am a guest

[reke-buchenau]

Environment

Self-Hosted (Docker)

Version

2.0.6

Describe the problem

Hi,

my i can edit the whole config even i am in the guest mode. I removed all cookies and caches but nothing happened.

This is my Config:

{
"appConfig": {
"customCss": "",
"layout": "vertical",
"iconSize": "large",
"theme": "one-dark",
"language": "de",
"startingView": "default",
"defaultOpeningMethod": "newtab",
"statusCheck": true,
"statusCheckInterval": 5,
"faviconApi": "google",
"routingMode": "hash",
"enableMultiTasking": false,
"widgetsAlwaysUseProxy": false,
"webSearch": {
"disableWebSearch": false,
"searchEngine": "google",
"openingMethod": "newtab",
"searchBangs": {}
},
"enableFontAwesome": true,
"enableMaterialDesignIcons": false,
"hideComponents": {
"hideHeading": false,
"hideNav": false,
"hideSearch": false,
"hideSettings": false,
"hideFooter": true
},
"auth": {
"enableGuestAccess": true,
"users": [
{
"user": "admin",
"hash": "passwordhash",
"type": "admin"
}
],
"enableKeycloak": false
},
"showSplashScreen": true,
"preventWriteToDisk": false,
"preventLocalSave": true,
"disableConfiguration": false,
"allowConfigEdit": true,
"enableServiceWorker": false,
"disableContextMenu": false,
"disableUpdateChecks": false,
"disableSmartSort": false,
"enableErrorReporting": false,
"customColors": {
"one-dark": {
"primary": "#c5cad3",
"background": "#282c33",
"background-darker": "#1c1f23"
}
}
},
"pageInfo": {
"title": "IT Linksammlung",
"description": "Alle wichtigen Links",
"navLinks": [],
"footerText": ""
},
"sections": [
{
"name": "Server",
"icon": "fas fa-globe",
"displayData": {
"sortBy": "default",
"rows": 1,
"cols": 1,
"collapsed": false,
"hideForGuests": false
},
"items": [
{
}
]
}
]
}

Can you help me?

Additional info

No response

Please tick the boxes

• You are using a supported version of Dashy (check the first two digits of the version number)
• You've checked that this issue hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[am93]

Same (or similar) issue is also in version 2.0.7, where authentication is not working. I configured conf.yml and created two users under appConfig.auth.users as instructed in the documentation. I also disabled guestAccess with appConfig.enableGuestAccess: false.

When I open application in the browser I don't get any authentication requests.

[am93]

Ignore my previous comment - it is related to issue #601

@reke-buchenau are you using docker compose ?

[dtypo]

Same problem here.
I can use the "interactive editor", the "edit page info", the "Edit app config" and the general "Edit config", allowing to write to disk, even if I'm guest. The guests are supposed to only visualize the dashboard, not to edit it 🤔
Obviously there is an admin user set.

[LeoColman]

@am93
I am using docker-compose and facing this issue

[dtypo]

I've just discovered that, as guest, I can even see all the users and relative hashes

[LeoColman]

A quick "Hold the line" workaround is to make the conf file read only in docker.

volumes:
    - /my/path/to/confs:/app/public:ro

[LeoColman]

I've tracked some of what could be to these files:

src/components/InteractiveEditor/EditModeSaveMenu.vue

<Button
        :click="writeToDisk"
        :disallow="!permissions.allowWriteToDisk"
        v-tooltip="tooltip($t('interactive-editor.menu.save-disk-tooltip'))"
      >
        {{ $t('interactive-editor.menu.save-disk-btn') }}
        <SaveToDiskIcon />
      </Button>

src/utils/Auth.js

export const isUserAdmin = () => {
  const users = getUsers();
  if (users.length === 0) return true; // Authentication not setup
  if (!isLoggedIn()) return false; // Auth setup, but not signed in as a valid user
  const currentUser = localStorage[localStorageKeys.USERNAME];
  let isAdmin = false;
  users.forEach((user) => {
    if (user.user === currentUser) {
      if (user.type === 'admin') isAdmin = true;
    }
  });
  return isAdmin;
};

I couldn't dig much deeper

[reke-buchenau]

Ignore my previous comment - it is related to issue #601

@reke-buchenau are you using docker compose ?

Hi, sorry for my late reply. Yes, i use the docker compose.

[WahidBawa]

I'm having this same issue, I'm also using docker-compose. I guess I'll leave guest access off until this is fixed.

[skornel02]

I'm facing the same issue. Contrary to others I'm running this self-compiled.
This is a very serious issue, is there any update on this?
Any way I try to configure it the only way to make guets unable to edit is - as mentiontioned above - to setting the file to read only.

[liss-bot]

The fix for this issue has now been released in 2.0.9 ✨

If you haven't done so already, please update your instance to 2.0.9 or later. See 2.0.9 for full info.

Feel free to reach out if you need any more support. If you are enjoying Dashy, consider supporting the project.