i’ve made a testuser as normal user to see what he can see. There i found a big issue!
As normal user / global read / demo they have access to plugins. i don’t want that.
even more than that: i have only weathermap installed as a plugin and as normal user i can enter and see the entire network (that’s a NO GO for me) and enter into the CONFIG of weathermap!!! a normal user can change everything in weathermap!
so it isn’t possible to hide the plugin section all together from the normal users? enable / disable / hide?
edit: found a workaround. After the weathermap is set up and working, disable the plugin.
You can enter the weathermap in your dashboard by using “external images”. Of course, anyone else can do that if he knows the URL, but at least no one enter easily into the editor (still can enter into editor if someone just uses the URL… still… it’s something. maybe if i rename editor.php in something else would do the trick… still… not very elegant
We have a similar issue here, a Normal user can access the oxidized plugin (gain a device list) and Edit the Weather-map plugin.
Understandably these are separate applications, but either a permissions view for plugin menu items, or locking these menu’s down to admin only would be handy. Any thoughts?
I realize this thread is almost 2 years old, but I found myself needing to restrict the plugins sections from clients.
I have built lots of fine Network Weathermap (great software) for our company. We now have clients that want to see their billing graphs, but we don’t want them to see all the pretty Network Weathermap maps.
Is there a solution to this “hide the plugins” problem?
Hi,
The plugin framework in LibreNMS is very basic, so right now, there is no solution. You are of course welcome to discuss and come with a Pull Request that would add this feature.
Hi, that is really old issue but still annoying
Should it be enough for the mass if we had a switch in the config to disable all Plugins für Level 0 users(normal user)?
What would be the estimated effort? If I understand that, the old Plugin System has no security implementation at all.
Disable the plugin (so its not visible to regular users)
add .htaccess;
librenms:~/html/plugins/Weathermap/output$ more .htaccess
<Files ~ "home\.*">
Deny from all
Allow from 192.168.1.0/28
</Files>
<Files ~ "work\.*">
Deny from all
Allow from 10.0.1.0/24
Allow from 192.168.1.0/28
</Files>
librenms:~/html/plugins/Weathermap/output$