[Qgis-user] Save projects to DB without creator's permissions
Cliff Patterson
cpatterson at psdrcs.com
Mon Jun 1 06:35:45 PDT 2020
That's exactly the problem with the auth system. If you connect to a DB
using the auth system and store a map in the DB (or anywhere for that
matter), the map contains your credentials/permissions for EVERY layer that
you added. So if you create a map while logged in as DB owner (i.e. full
perms for every layer), any user who opens it will have full permissions on
every layer in the map. The only workaround for this is to remember to use
basic auth and uncheck "store" beside password whenever creating a shared
project.
Any other less vulnerable workarounds would be very helpful, though I doubt
any exist.
Cliff
On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti <apasotti at gmail.com>
wrote:
> Maybe all that you need is in the QHIS auth system is
> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id
>
> The master password can be stored in the operating system wallet so that
> the user will not need to type his password.
>
> Regards
>
>
> On Fri, May 29, 2020, 19:39 Cliff Patterson <cpatterson at psdrcs.com> wrote:
>
>> PS: I realize I can create maps with basic auth and not store the PW,
>> which prompts the user to enter their creds. But is there a better way now
>> to achieve the same result?
>>
>> Cliff
>>
>> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson <cpatterson at psdrcs.com>
>> wrote:
>>
>>> What is the best approach to save QGIS projects to PostgreSQL
>>> without saving the project-creator's credentials/permissions? If the DB
>>> admin creates a project and saves it to the DB, anyone opening that project
>>> will attain the admin's permissions on layers in that map.
>>>
>>> To recreate:
>>>
>>> 1) Create a map containing PostGIS layers and save project to DB. All
>>> layers should be editable by the admin. Admin is logged into DB with auth
>>> config, not basic auth.
>>> 2) Create a new read-only user and new profile in QGIS and log in to DB.
>>> 3) Open the project and try to edit layers. Read-only user will be able
>>> to see and edit all layers just like the DB Admin.
>>>
>>> Is there a way to save projects to DB WITHOUT saving any user
>>> creds/permissions?
>>>
>>> Cliff
>>>
>>> --
>>>
>>> Cliff Patterson Ph.D.
>>>
>>> *PSD* | Senior GIS Consultant
>>> P: 519-690-2565 ext. 2616
>>> www.psdrcs.com
>>> London | 148 Fullarton St. 9th Floor
>>>
>>>
>>
>> --
>>
>> Cliff Patterson Ph.D.
>>
>> *PSD* | Senior GIS Consultant
>> P: 519-690-2565 ext. 2616
>> www.psdrcs.com
>> London | 148 Fullarton St. 9th Floor
>>
>> _______________________________________________
>> Qgis-user mailing list
>> Qgis-user at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>
>
--
Cliff Patterson Ph.D.
*PSD* | Senior GIS Consultant
P: 519-690-2565 ext. 2616
www.psdrcs.com
London | 148 Fullarton St. 9th Floor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20200601/c5e9d9bb/attachment.html>
More information about the Qgis-user
mailing list