[Qgis-user] Save projects to DB without creator's permissions

Alessandro Pasotti apasotti at gmail.com
Mon Jun 1 08:43:46 PDT 2020 

Glad to hear that it worked!

If you feel like the documentation should include an example, feel free to
add some more content to the
https://docs.qgis.org/testing/en/docs/user_manual/auth_system/auth_workflows.html

There is also a section on organizations that might be relevant for this
kind of information.
https://docs.qgis.org/testing/en/docs/user_manual/introduction/qgis_configuration.html#deploying-qgis-within-an-organization



On Mon, Jun 1, 2020 at 5:29 PM Cliff Patterson <cpatterson at psdrcs.com>
wrote:

> Tested this solution and it works perfectly. When using the same ID in the
> authentication settings, the projects saved to the DB do not retain the
> creator's per-layer permissions.
>
> Thanks for the help!
>
> Cliff
>
> On Mon, Jun 1, 2020 at 11:19 AM Cliff Patterson <cpatterson at psdrcs.com>
> wrote:
>
>> Hi Karl and Alessandro,
>>
>> This is helpful but DEFINITELY not intuitive. I will test this
>> configuration and report back.
>>
>> Cheers,
>> Cliff
>>
>> On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson <
>> Karl-Magnus.Jonsson at kristianstad.se> wrote:
>>
>>> Hi!
>>>
>>> Alessandro, you where quicker! J
>>>
>>>
>>>
>>> If I understand correct, the actual credentials isn’t stored to the
>>> project. Just the auth config ID. If the user doesn’t have this in his
>>> local authentication database, or has it with other credentials(read) the
>>> project will not open with admin credentials.
>>>
>>>
>>>
>>> *Karl-Magnus Jönsson*
>>>
>>>
>>>
>>> *Från:* Qgis-user <qgis-user-bounces at lists.osgeo.org> *För *Cliff
>>> Patterson
>>> *Skickat:* den 1 juni 2020 15:36
>>> *Till:* Alessandro Pasotti <apasotti at gmail.com>
>>> *Kopia:* qgis-user <qgis-user at lists.osgeo.org>
>>> *Ämne:* Re: [Qgis-user] Save projects to DB without creator's
>>> permissions
>>>
>>>
>>>
>>> That's exactly the problem with the auth system. If you connect to a DB
>>> using the auth system and store a map in the DB (or anywhere for that
>>> matter), the map contains your credentials/permissions for EVERY layer that
>>> you added. So if you create a map while logged in as DB owner (i.e. full
>>> perms for every layer), any user who opens it will have full permissions on
>>> every layer in the map. The only workaround for this is to remember to use
>>> basic auth and uncheck "store" beside password whenever creating a shared
>>> project.
>>>
>>>
>>>
>>> Any other less vulnerable workarounds would be very helpful, though I
>>> doubt any exist.
>>>
>>>
>>>
>>> Cliff
>>>
>>>
>>>
>>> On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti <apasotti at gmail.com>
>>> wrote:
>>>
>>> Maybe all that you need is in the QHIS auth system is
>>> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id
>>>
>>>
>>>
>>> The master password can be stored in the operating system wallet so that
>>> the user will not need to type his password.
>>>
>>>
>>>
>>> Regards
>>>
>>>
>>>
>>>
>>>
>>> On Fri, May 29, 2020, 19:39 Cliff Patterson <cpatterson at psdrcs.com>
>>> wrote:
>>>
>>> PS: I realize I can create maps with basic auth and not store the PW,
>>> which prompts the user to enter their creds. But is there a better way now
>>> to achieve the same result?
>>>
>>>
>>>
>>> Cliff
>>>
>>>
>>>
>>> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson <cpatterson at psdrcs.com>
>>> wrote:
>>>
>>> What is the best approach to save QGIS projects to PostgreSQL
>>> without saving the project-creator's credentials/permissions? If the DB
>>> admin creates a project and saves it to the DB, anyone opening that project
>>> will attain the admin's permissions on layers in that map.
>>>
>>>
>>>
>>> To recreate:
>>>
>>>
>>>
>>> 1) Create a map containing PostGIS layers and save project to DB. All
>>> layers should be editable by the admin. Admin is logged into DB with auth
>>> config, not basic auth.
>>>
>>> 2) Create a new read-only user and new profile in QGIS and log in to DB.
>>>
>>> 3) Open the project and try to edit layers. Read-only user will be able
>>> to see and edit all layers just like the DB Admin.
>>>
>>>
>>>
>>> Is there a way to save projects to DB WITHOUT saving any user
>>> creds/permissions?
>>>
>>>
>>>
>>> Cliff
>>>
>>>
>>>
>>> --
>>>
>>> Cliff Patterson Ph.D.
>>>
>>> *PSD* | Senior GIS Consultant
>>> P: 519-690-2565 ext. 2616
>>> www.psdrcs.com
>>> London | 148 Fullarton St. 9th Floor
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Cliff Patterson Ph.D.
>>>
>>> *PSD* | Senior GIS Consultant
>>> P: 519-690-2565 ext. 2616
>>> www.psdrcs.com
>>> London | 148 Fullarton St. 9th Floor
>>>
>>> _______________________________________________
>>> Qgis-user mailing list
>>> Qgis-user at lists.osgeo.org
>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Cliff Patterson Ph.D.
>>>
>>> *PSD* | Senior GIS Consultant
>>> P: 519-690-2565 ext. 2616
>>> www.psdrcs.com
>>> London | 148 Fullarton St. 9th Floor
>>>
>>>
>>
>> --
>>
>> Cliff Patterson Ph.D.
>>
>> *PSD* | Senior GIS Consultant
>> P: 519-690-2565 ext. 2616
>> www.psdrcs.com
>> London | 148 Fullarton St. 9th Floor
>>
>>
>
> --
>
> Cliff Patterson Ph.D.
>
> *PSD* | Senior GIS Consultant
> P: 519-690-2565 ext. 2616
> www.psdrcs.com
> London | 148 Fullarton St. 9th Floor
>
>

-- 
Alessandro Pasotti
QCooperative:  www.qcooperative.net
ItOpen:   www.itopen.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20200601/c690cab4/attachment.html>

More information about the Qgis-user mailing list