From eca0c44320ad9cce6577a89cf1b8b6aa0ce35c01 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Fri, 20 Aug 2021 22:20:04 +0100 Subject: [PATCH] :memo: Writes docs for granular auth access --- docs/authentication.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/authentication.md b/docs/authentication.md index cb46cf02..4013bc15 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -39,6 +39,33 @@ Once authentication is enabled, so long as there is no valid token in cookie sto ## Enabling Guest Access With authentication setup, by default no access is allowed to your dashboard without first logging in with valid credentials. Guest mode can be enabled to allow for read-only access to a secured dashboard by any user, without the need to log in. A guest user cannot write any changes to the config file, but can apply modifications locally (stored in their browser). You can enable guest access, by setting `appConfig.enableGuestAccess: true`. +## Granular Access +You can use the following properties to make certain sections only visible to some users, or hide sections from guests. +- `hideForUsers` - Section will be visible to all users, except for those specified in this list +- `showForUsers` - Section will be hidden from all users, except for those specified in this list +- `hideForGuests` - Section will be visible for logged in users, but not for guests + +For Example: + +```yaml +- name: Code Analysis & Monitoring + icon: fas fa-code + displayData: + cols: 2 + hideForUsers: [alicia, bob] + items: + ... +``` + +```yaml +- name: Deployment Pipelines + icon: fas fa-rocket + displayData: + hideForGuests: true + items: + ... +``` + ## Security Since all authentication is happening entirely on the client-side, it is vulnerable to manipulation by an adversary. An attacker could look at the source code, find the function used generate the auth token, then decode the minified JavaScript to find the hash, and manually generate a token using it, then just insert that value as a cookie using the console, and become a logged in user. Therefore, if you need secure authentication for your app, it is strongly recommended to implement this using your web server, or use a VPN to control access to Dashy. The purpose of the login page is merely to prevent immediate unauthorized access to your homepage.