Add User Allowed Pages Filtering - Draft Concept #1160
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds User Allowed Page filtering by utilizing user credentials provided by auth plugins.
Description
This is more a proof of concept PR for user page filtering using auth plugins. With my tests this seems to have been quite robust, looking for additional feedback.
Still needs to be decided whether this functionality should be integrated into D2 directly, added as a plugin or as a 3rd party node.
Working Principle
D2 will function exactly as usual unless
global.store.enablePageFilter
with contextfile
is set totrue
.For now, UI for Admin Management of users, groups and pages is just a Node-RED flow using D2 widgets.
Users and groups are saved to Node-RED
file
context storage so no database is needed. User allowed pages are then determined on a group basis and saved to and retrieved fromglobal.store[{user}].allowedPages
inmemory only
context.On
ui-base
emitConfig()
all pages, groups and widgets are filtered based on the page they reside in or if they are UI scoped. Therefore, only the allowed pages, groups, and widgets are emitted in the config to the connected dashboards. This could also have added benefit of improved load speeds.Includes an optional zero-trust filtering approach where all users are denied access to all pages by default, or alternatively, enabling filtering for a specific user only if they have been added to user list (default?).
D2 pages are automatically populated as form options to
ui-form
for adding Groups in Admin Management UI, same with groups when adding UserUses
msg._client.user.email
as user ID, will need to arrive at some sort of standardization across auth plugins concerning thisAny users logged in using an auth provider will show up as detected user in UI, which you can then assign groups to.
Data Model
As can be seen above pages are assigned to groups and groups are then assigned to the user after which allowed pages are then determined.
Usage
Use this branch of D2: https://github.com/cgjgh/node-red-dashboard/tree/User-Page-Filtering
Attached below is a Node-RED flow with the necessary D2 UI for Admin Management of users, groups and pages.
Integrated into the PR is a test mode which you can toggle in UI and impersonate a specific user, therefore no auth plugins are required for testing.
New groups and users can be added with the included
ui-form
.Table rows can be selected to load a form to edit user or group
Since D2
ui-table
does not yet support dynamic props, included in the flow below areinject
nodes with functions to generate JSON for each table with all columns for pages or groups predefined. This you can then copy from debug window and import and replace the existing tables in flow, or alternatively edit the table node.Example UI for Admin Management
Controls
on
to deny access to all pages by default,off
to enable filtering only for users existing in user list (prevents locking out users while in development)Tables
Example Flow
Related Issue(s)
Checklist
flowforge.yml
?FlowFuse/helm
to update ConfigMap TemplateFlowFuse/CloudProject
to update values for Staging/ProductionLabels
area:migration
label