homarr icon indicating copy to clipboard operation
homarr copied to clipboard

Published 20 hours ago verified publisher icon ajnart

Disable custom options to use Homarr as a public dockers access page

Open theoroborus opened this issue 2 years ago • 5 comments

Description

I was searching for a was to make a simple webpage where I could give public access to some dockers which would be then protected by Authelia. Homarr seems perfect for that.

However, in order to prevent the users to mess up with the dockers and page settings, I would like to be able to have some way of removing :

  • The Settings/Docker/Add Service buttons on the top right
  • The edit button on each App icon.

I saw the custom CSS feature request ; 339. A simple "display: none" would do the trick, would be less safe but good enough in my use case ; with a limited amount of public users.

Priority

Low (Nice-to-have)

theoroborus avatar Aug 15 '22 13:08 theoroborus

+1 to this. Hope it gets added soon as it seems like it should be fairly easy to implement. Maybe even just add a password to the settings so only the administrator can access them

notcreeperdude avatar Aug 16 '22 02:08 notcreeperdude

A simple "display: none" would do the trick, would be less safe but good enough in my use case ; with a limited amount of public users.

The problem is that if someone (or a bot) finds your homarr public url and its not protected by any means, they can easily get your API keys / credentials to other service you most likely have not protected either

We need to make it the right way to affirm that it is 100% safe to expose homarr publicly

ajnart avatar Aug 22 '22 15:08 ajnart

Indeed, in that case I would have protected it with Authelia, it was just a quick suggestion as a workaround in case CSS injection is easier to develop.

theoroborus avatar Aug 22 '22 15:08 theoroborus

would it make sense to integrate OpenID/authentik/authelia auth into homarr as a way to protect the page? this would have the knock-on effect of protecting the services linked on the homarr main page as well

thesimonho avatar Aug 27 '22 07:08 thesimonho

would it make sense to integrate OpenID/authentik/authelia auth into homarr as a way to protect the page? this would have the knock-on effect of protecting the services linked on the homarr main page as well

Basically you can already, the issue is that once logged, even if it's a trusted user, he can accidentally turn off dockers or add some thinking it's features you gave hime access to.

theoroborus avatar Aug 27 '22 09:08 theoroborus

As mentioned in #419 , we are working on this for 0.12. But for a temporary solution, until 0.12 is done, we could add an environment variable, that simply disables the edit mode. Would this solve your concern, of users accidentally editing your dashboard?

https://github.com/ajnart/homarr/discussions/419#discussioncomment-5027353

We are working on better methods and complex authentication, but this takes a ton of time... Until that is done, this solution could be quite useful for some IMO.

manuel-rw avatar Feb 19 '23 21:02 manuel-rw

An experimental solution for this has been implemented in 0.11.5. https://homarr-docs-git-docs-security-ajnart.vercel.app/docs/advanced/read-only

As stated in the documentation, we'll implement a more complex system for this in 0.12.

manuel-rw avatar Feb 26 '23 17:02 manuel-rw

Done in v0.14.0

ajnart avatar Nov 10 '23 23:11 ajnart