piitaya
commented
2 months ago This option is only about visibility, not restriction. It's totally normal to have access if you type the URL manually. It's explained in the documentation : https://www.home-assistant.io/dashboards/views/#visible
Checklist
Describe the issue you are experiencing
I have set a user, lets call it MyNonAdmin user, with visibility rights only to 2 of 4 Views and only 1 of 2 dashboards. Lovelace Dashboard (default) with views /Lovelace/0 and /Lovelace/1 Other Dashboard with views /Other/0, /Other/1, /Other/2, /Other/3
MyNonAdmin user is set to have visibility rights ONLY to views /Other/2 and /Other/3.
This works ok if only mouse is used to browse the interface, like NONE of Lovelace views is visible, only Lovelace Overview tab in side bar and only /Other/2, /Other/3 views tabs.
BUT, when I log with MyNonAdmin user in Chrome Incognito, if I manually change url from /Other/2, /Other/3 which are allowed to /Other/0, /Other/1 from same dashboard, with should not be allowed to view, I can see the content of those tabs, 0 and 1. Further more, if change the url to /Lovelace/0 or /Lovelace/1, I can see also those views and their content, same as Admin user would see it.
Describe the behavior you expected
Visibility rights should not allow a user to view pages not assigned to it, no matter how it reaches those urls.
Steps to reproduce the issue
What version of Home Assistant Core has the issue?
2024.4.3
What was the last working version of Home Assistant Core?
No response
In which browser are you experiencing the issue with?
Google Chrome 124.0.6367.92 (Official Build) (64-bit)
Which operating system are you using to run this browser?
Windows 10 Home (64-bit)
State of relevant entities
No response
Problem-relevant frontend configuration
No response
Javascript errors shown in your browser console/inspector
No response
Additional information
No response