[FIX] User Suggestions & Bug Fixes

[Lissy93]

• 19b7131 Fix KeyCloak API URL
  • [FEATURE_REQUEST] change keycloak auth to be custom url instead of automatically appending /auth #564
• 33a2693 Fix guest has config access
  • [BUG] I can edit the whole config even i am a guest #590
• e2b9c15 Fix collapsible content in multi-page support
  • Multi-Page Support! #626
• 24e487c Fix layout and item size buttons
  • [BUG] "Layout" and "Item Size" buttons don't work  #629
• 9eda048Refactor make request in RSS widget
  • [QUESTION] RSS widget improvement #632
• 2fe0110 Fix material-design-icons header in schema
  • [BUG] Incorrect Header in App Settings #640
• 4287092 - Add option to hide seconds in clock widget
  • Make the "seconds" field optionnal for the clock Widget #644
• 9b33a6e Fix pageInfo not being read in router
  • [BUG] title in browser tab doesnt changes #645
• 9b33a6e Fix startingView not honored
  • [BUG] startingView not working #646
• 7b39bde - Fix Status Check default
  • [BUG] statusCheck in Items not being honored when set at appConfig level #651
• 8c43442 Add option to hide image in SportsScores Widget
  • [BUG] Sports Widget doesn’t display Premier League image correctly #654
• 3417b46 Add Adventure-basic theme
  • How to change the default bg pic from a theme? #655
    -Write docs for sub-items
  • [QUESTION] Where is sub-sections docs ? #657
• c04e80b Add Font-Awesome displaying as square to troubleshooting guide
  • Font-awesome question #659
• 7e547e7 - Show expand / collapse in context menu
  • [BUG] Can't open collapsed sections while in interactive edit mode #660
• 064c644 - Only deploy new release when relevant files have changed

Code Quality Checklist (Please complete)

• All changes are backwards compatible
• All lint checks and tests are passing
• There are no (new) build warnings or errors
• (If a new config option is added) Attribute is outlined in the schema and documented
• (If a new dependency is added) Package is essential, and has been checked out for security or performance
• Bumps version, if new feature added

[netlify]

✅ Deploy Preview for dashy-dev ready!

Name	Link
🔨 Latest commit	6d2e37d
🔍 Latest deploy log	https://app.netlify.com/sites/dashy-dev/deploys/628786efedd5df00099c2005
😎 Deploy Preview	https://deploy-preview-663--dashy-dev.netlify.app/
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[viezly]

This pull request is split into 5 parts for easier review.
👀 Review pull request on Viezly

Changed files are located in these folders:

• .github
• /
• docs
• src

[Lissy93]

Remaining tasks:

• Add docs, and update schema for sub-items
  • [QUESTION] Where is sub-sections docs ? #657
• Bump to 2.0.9 and update changelog

[Lissy93]

If anyone has a couple minutes spare, would really appreciate a quick code review, before I merge
If it's your first time, click "Files Changed", have a quick read through, then click "Review Changes".
Thanks 🤗

[skornel02]

This will not fix issue #590 because if I understand correctly this is only a frontend check for admin privileges and therefore anyone can still realistically update the configuration file.
If you were visit the site as a guest, then proceed to add a "local" (not existing in conf.yml) user with admin role then continue to log in into that user then you can still very much update the config file however you like.
I'm suggesting a proper backend check for the already-known-good users/admins to permit unchecked file writes and command execution if there isn't one yet.

[Lissy93]

Yeah, you're right, there really should be more backend checks.

I have explained the attack in more detail in the Auth docs, as this authentication method definitely shouldn't be used outside of your local network. Keycloak is supported for more secure authentication. But it should also be possible to protect the app with any self-hosted auth provider.

Potentially the best option, is to remove simple-auth from the app all together, and let users bring their own auth provider.

[skornel02]

I'm not really sure that removing the simple-auth would fix the issue, if there is no backend check. I mean it is nice that the password is handled by Keycloak for example, but if you don't need anything to activate a backend function, only the knowledge that where it is located and sending a direct request to it.
I for one say that the password hash being publicly accessible a non-issue, but in my case Dashy is running on a mini-pc and there it is a problem if anyone can start a rebuild of the software or they can fill the available storage with freely written configuration files.
Of course what you are saying that this should be used within a local network is totally reasonable, I just advocate that we place approriate warnings, that this should not be publically accessible because of possible "attack vectors".

[skornel02]

I think that either the lack of any real security should be addressed, or at the very least there should be a highly visible indication that there is in fact no "read-only access" for guests to prevent malicious access unbeknown to anyone running this project.
ps: I really love this project, keep the amazing work up!

[liss-bot]

The fix for this issue has now been released in 2.0.9 ✨

If you haven't done so already, please update your instance to 2.0.9 or later. See 2.0.9 for full info.

Feel free to reach out if you need any more support. If you are enjoying Dashy, consider supporting the project.