[Qgis-user] Save projects to DB without creator's permissions

Cliff Patterson cpatterson at psdrcs.com
Mon Jun 1 08:29:00 PDT 2020 

Tested this solution and it works perfectly. When using the same ID in the
authentication settings, the projects saved to the DB do not retain the
creator's per-layer permissions.

Thanks for the help!

Cliff

On Mon, Jun 1, 2020 at 11:19 AM Cliff Patterson <cpatterson at psdrcs.com>
wrote:

> Hi Karl and Alessandro,
>
> This is helpful but DEFINITELY not intuitive. I will test this
> configuration and report back.
>
> Cheers,
> Cliff
>
> On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson <
> Karl-Magnus.Jonsson at kristianstad.se> wrote:
>
>> Hi!
>>
>> Alessandro, you where quicker! J
>>
>>
>>
>> If I understand correct, the actual credentials isn’t stored to the
>> project. Just the auth config ID. If the user doesn’t have this in his
>> local authentication database, or has it with other credentials(read) the
>> project will not open with admin credentials.
>>
>>
>>
>> *Karl-Magnus Jönsson*
>>
>>
>>
>> *Från:* Qgis-user <qgis-user-bounces at lists.osgeo.org> *För *Cliff
>> Patterson
>> *Skickat:* den 1 juni 2020 15:36
>> *Till:* Alessandro Pasotti <apasotti at gmail.com>
>> *Kopia:* qgis-user <qgis-user at lists.osgeo.org>
>> *Ämne:* Re: [Qgis-user] Save projects to DB without creator's permissions
>>
>>
>>
>> That's exactly the problem with the auth system. If you connect to a DB
>> using the auth system and store a map in the DB (or anywhere for that
>> matter), the map contains your credentials/permissions for EVERY layer that
>> you added. So if you create a map while logged in as DB owner (i.e. full
>> perms for every layer), any user who opens it will have full permissions on
>> every layer in the map. The only workaround for this is to remember to use
>> basic auth and uncheck "store" beside password whenever creating a shared
>> project.
>>
>>
>>
>> Any other less vulnerable workarounds would be very helpful, though I
>> doubt any exist.
>>
>>
>>
>> Cliff
>>
>>
>>
>> On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti <apasotti at gmail.com>
>> wrote:
>>
>> Maybe all that you need is in the QHIS auth system is
>> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id
>>
>>
>>
>> The master password can be stored in the operating system wallet so that
>> the user will not need to type his password.
>>
>>
>>
>> Regards
>>
>>
>>
>>
>>
>> On Fri, May 29, 2020, 19:39 Cliff Patterson <cpatterson at psdrcs.com>
>> wrote:
>>
>> PS: I realize I can create maps with basic auth and not store the PW,
>> which prompts the user to enter their creds. But is there a better way now
>> to achieve the same result?
>>
>>
>>
>> Cliff
>>
>>
>>
>> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson <cpatterson at psdrcs.com>
>> wrote:
>>
>> What is the best approach to save QGIS projects to PostgreSQL
>> without saving the project-creator's credentials/permissions? If the DB
>> admin creates a project and saves it to the DB, anyone opening that project
>> will attain the admin's permissions on layers in that map.
>>
>>
>>
>> To recreate:
>>
>>
>>
>> 1) Create a map containing PostGIS layers and save project to DB. All
>> layers should be editable by the admin. Admin is logged into DB with auth
>> config, not basic auth.
>>
>> 2) Create a new read-only user and new profile in QGIS and log in to DB.
>>
>> 3) Open the project and try to edit layers. Read-only user will be able
>> to see and edit all layers just like the DB Admin.
>>
>>
>>
>> Is there a way to save projects to DB WITHOUT saving any user
>> creds/permissions?
>>
>>
>>
>> Cliff
>>
>>
>>
>> --
>>
>> Cliff Patterson Ph.D.
>>
>> *PSD* | Senior GIS Consultant
>> P: 519-690-2565 ext. 2616
>> www.psdrcs.com
>> London | 148 Fullarton St. 9th Floor
>>
>>
>>
>>
>> --
>>
>> Cliff Patterson Ph.D.
>>
>> *PSD* | Senior GIS Consultant
>> P: 519-690-2565 ext. 2616
>> www.psdrcs.com
>> London | 148 Fullarton St. 9th Floor
>>
>> _______________________________________________
>> Qgis-user mailing list
>> Qgis-user at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>>
>>
>>
>>
>> --
>>
>> Cliff Patterson Ph.D.
>>
>> *PSD* | Senior GIS Consultant
>> P: 519-690-2565 ext. 2616
>> www.psdrcs.com
>> London | 148 Fullarton St. 9th Floor
>>
>>
>
> --
>
> Cliff Patterson Ph.D.
>
> *PSD* | Senior GIS Consultant
> P: 519-690-2565 ext. 2616
> www.psdrcs.com
> London | 148 Fullarton St. 9th Floor
>
>

-- 

Cliff Patterson Ph.D.

*PSD* | Senior GIS Consultant
P: 519-690-2565 ext. 2616
www.psdrcs.com
London | 148 Fullarton St. 9th Floor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20200601/e8702a51/attachment-0001.html>

More information about the Qgis-user mailing list