[Qgis-developer] qgis-mapserver: user authentication

Mayeul Kauffmann mayeul.kauffmann at free.fr
Tue Jun 14 15:53:07 EDT 2011 

Hi guys,
I'm also interested. Some of my comments below.


>  * user authentification (also needs a secure connection (https)) - 
>  could be handled by a python script?
>  * user data storage (can be in a database table (e.g. Postgis, SQLite)) 
>  - after the login, QGIS webclient could also store the basic user data, 
>  such as name and address.

I would prefer storing in the database, as it allows connectivity with
other applications and user cases that we cannot even think about.

>  * QGIS server should be made aware about table permissions 
>  (roles/groups) and build the GetCapabilities tree accordingly.
Here you seem to say: let's use the permissions of the db backend for
everything. I find this brilliant: there are plenty of tools to manage
those and the this is widely tested (which is important when security
matters). The positive side effect is that you can give direct database
access to some power users, and you still have to set the rights only
once.
My understanding is that this cannot work for SQLite (from the manual:
"the only access permissions that can be applied are the normal file
access permissions of the underlying operating system").
Second comment on this: Is the above idea about table permissions meant
only for vector data, or for PostGIS Raster? (not as widely tested).

What follows is: maybe this should be implemented only for a limited
number of RDBMS backends.
Anyway: Sure, SQLite is much easier for the desktop than Postgres
+postgis. Still, if you use https and can buy a certificate, then you
have the resources to configure Postgres+postgis.

May I ask what do you use for vector backend for QGIS server?

Hope this helps,

Mayeul


> 
>  Also, I think permissions should be attached either to
>  a) a whole .qgs project (one could use Apache permissions for that)
>  b) or certain layers in a .qgs project
> 
>  How fast do you need that implemented? I think it would be useful to 
>  include Pirmin, Marco and Jürgen into the discussion, or whoever else is 
>  interested. Maybe something to discuss in a telcon/IRC?
> 
>  Andreas
> 
>  On Tue, 14 Jun 2011 01:12:07 +0100, Giovanni Manghi wrote:
> > Hi all,
> >
> > On Thu, 2011-06-09 at 16:33 +0200, Paolo Cavallini wrote:
> >> Hi all.
> >> We are interested in an extension of current qgis-mapserver, 
> >> allowing different users
> >> (or groups of) to see different layers (or different projects).
> >> Is anyone working on that, or willing to collaborate on a mainstream 
> >> solution?
> >
> >
> > what we need to develop is quite simple (to explain). Users should be
> > able to register/login in the webclient (users data stored in a
> > geometryless table in the qgis project?), then, depending on what 
> > user
> > group the user belong, show certain layers/groups in the TOC of the 
> > web
> > client. User data (name, address, etc.) should be stored after the 
> > login
> > to allow use them in the print layouts.
> >
> > One way or another we will have to develop something like that, so we
> > would prefer to do it the right way, upstream and in a way that can 
> > be
> > useful to as much people as possible.
> >
> > If anyone is interested in collaborate please us know.
> >
> > Cheers
> >
> > -- Giovanni --
> >
> >
> > _______________________________________________
> > Qgis-developer mailing list
> > Qgis-developer at lists.osgeo.org
> > http://lists.osgeo.org/mailman/listinfo/qgis-developer
>

More information about the Qgis-developer mailing list