I’m planning an multiuser openHAB system. I saw there are two types
of user roles (admins, users). My question is what exacly is the difference between them, because I logged in with both user roles and I cannot see a different.
In my system the users shouldn’t be able to edit the HABpanel Dashboard. Is there any option to disable editing the panel for users?
Roles only affect access to the REST API and MainUI. HABPanel; is completely ignorant of users and roles so I know of no way to prevent anyone who can access HABPanel from modifying it based on role. There is a command you can issue in the Karaf Console to disable editing of HABPanels entirely though.
Can only access the Items part of the REST API
Can only see the user facing UIs (i.e. BasicUI, HABPanel, MainUI Pages)
Unless a setting is changed, non-logged in users take on the user role
Everything from the user role plus…
Has full access to the REST API
In MainUI has a Settings menu entry where all the administration of openHAB is possible (create Things, Items, Rules, etc.)
Has access to the Developer Tools where the interactive REST API Docs and Custom Widget Builder reside.
Finally, in MainUI you can hide UI elements based on the user’s role, but this is not a security feature, just a display feature.
For HABPanel specifically, in OH3 you need to login with the Main UI first so that your login info is stored and HABPanel can access it when making the requests to the API to update the dashboards.
Only admins are allowed to make changes to “UI components” like main UI pages or widgets, and HABPanel dashboards which now use the same storage infrastructure; but it’s possible that the editing UI could mistakenly be unlocked for regular users with a valid access token (even if they won’t be able to save them, it would be refused by the API).
While reflecting on this I’m not even actually sure “mistakenly” is appropriate here.
When HABPanel was conceived in 2016 (!) the only option to save your dashboard configuration was your browser’s local storage - the idea was, you design your dashboards on your tablet, you hang it on the wall somehow, and that’s it. This was obviously problematic as people wanted to share configuration among multiple devices and save them to less volatile storage. Nevertheless this has been kept as an option from the start, in fact in OH2 when you started with HABPanel you started with a local configuration and then switched to server storage.
So I believe allowing regular (logged in) users to design dashboards locally, based on the items they have access to, is perfectly acceptable as they might want to design a personal & private view. The thing is to clearly indicate that saving them on the server for everybody is not possible unless they have the proper permissions.
It’s ok to hide the editing features to “guests” though (when you’re not even logged in) because this could be the default when making a wall-mounted tablet - you don’t want your guests to be tampering stuff, and if you happen to have a need for it? Just ask your household’s admin for an user account.