user json superuser data

[luberth]

Hello

Find it a bit strange
if a user looks at json data
he can see the superuser readable name
and coded password
bit strange???

[waaren]

if a user looks at json data he can see the superuser readable name and coded password

What did you put in the [settings] [system] [Local Networks (no username/password):] field ?

[luberth]

Hello

Is empty no text
Setup=>Settings

local_networks.png (9.83 KiB) Viewed 595 times

point is cq how i look at it
i am sharing my floorplan for others to see
.......... would be nice for inspiration iff more people do
they can only watch
when they click a switch they get => you do not have permission to do that

but if someone with more knowledge as me
and knowing above user view only login
views the json
he or maybe even she can see superuser username in plain text
and coded password
i think there would be guys or even girls knowing how to uncode that password
and in they are
in my opinion the viewonlyuser should not see the superuser info in json with his rights

i watch a particular json(do not go into detail here,advanced domoticz json users will know wich one) with an online viewer
http://jsonviewer.stack.hu/
so its got nothing to do with local adres viewing

setup=>more options =>edit users
add an [ ]option jsonview allowed ?????
This makes vieweronly user test password test http://test:[email protected]:8080/#/Floorplans
but this user should not be allowed to see almost all superuser info in json

domoticz_user.png (36.66 KiB) Viewed 600 times

[luberth]

Hmmmmm

My 433mhz Doorbell started playing
Somebody in???

how did you do that?
no de doorbell log shows no on action

must be false reception by cheap doorbell
there must be some similarity between 433mhz code of action impuls wall socket and action doorbel
./impuls.sh 31 C on 10

[waaren]

Hello

Is empty no text
Setup=>Settings
local_networks.png

point is cq how i look at it
i am sharing my floorplan for others to see
.......... would be nice for inspiration iff more people do
they can only watch
when they click a switch they get => you do not have permission to do that

but if someone with more knowledge as me
and knowing above user view only login
views the json
he or maybe even she can see superuser username in plain text
and coded password
i think there would be guys or even girls knowing how to uncode that password
and in they are
in my opinion the viewonlyuser should not see the superuser info in json with his rights

i watch a particular json(do not go into detail here,advanced domoticz json users will know wich one) with an online viewer
http://jsonviewer.stack.hu/
so its got nothing to do with local adres viewing

setup=>more options =>edit users
add an [ ]option jsonview allowed ?????
This makes vieweronly user test password test http://test:[email protected]:8080/#/Floorplans
but this user should not be allowed to see almost all superuser info in json
domoticz_user.png

I understand now. Already possible to see your complete configuration including device attributes (name, description, etc...).
Not enough authorization to control them with API calls but too open for my liking.

[luberth]

Sorry im just a Domoticz newbie beginner
..........so my configuration looks like .....

and u can see
_____superuser name in plaintext => thats 1 guess less, and a huge loss for owner or big win for the hacker
_____and coded password
if u use the right json call

also you can see notification email adresses etcetera
much to much for this view only viewer

[luberth]

disappointed
that there is no reaction from forummanagers or programmers