[Qgis-user] Save projects to DB without creator's permissions

Mon Jun 1 09:49:04 PDT 2020

Awesome, thanks!

On Mon, Jun 1, 2020 at 11:43 AM Alessandro Pasotti <apasotti at gmail.com>
wrote:

>
> Glad to hear that it worked!
>
> If you feel like the documentation should include an example, feel free to
> add some more content to the
> https://docs.qgis.org/testing/en/docs/user_manual/auth_system/auth_workflows.html
>
> There is also a section on organizations that might be relevant for this
> kind of information.
>
> https://docs.qgis.org/testing/en/docs/user_manual/introduction/qgis_configuration.html#deploying-qgis-within-an-organization
>
>
>
> On Mon, Jun 1, 2020 at 5:29 PM Cliff Patterson <cpatterson at psdrcs.com>
> wrote:
>
>> Tested this solution and it works perfectly. When using the same ID in
>> the authentication settings, the projects saved to the DB do not retain the
>> creator's per-layer permissions.
>>
>> Thanks for the help!
>>
>> Cliff
>>
>> On Mon, Jun 1, 2020 at 11:19 AM Cliff Patterson <cpatterson at psdrcs.com>
>> wrote:
>>
>>> Hi Karl and Alessandro,
>>>
>>> This is helpful but DEFINITELY not intuitive. I will test this
>>> configuration and report back.
>>>
>>> Cheers,
>>> Cliff
>>>
>>> On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson <
>>> Karl-Magnus.Jonsson at kristianstad.se> wrote:
>>>
>>>> Hi!
>>>>
>>>> Alessandro, you where quicker! J
>>>>
>>>>
>>>>
>>>> If I understand correct, the actual credentials isn’t stored to the
>>>> project. Just the auth config ID. If the user doesn’t have this in his
>>>> local authentication database, or has it with other credentials(read) the
>>>> project will not open with admin credentials.
>>>>
>>>>
>>>>
>>>> *Karl-Magnus Jönsson*
>>>>
>>>>
>>>>
>>>> *Från:* Qgis-user <qgis-user-bounces at lists.osgeo.org> *För *Cliff
>>>> Patterson
>>>> *Skickat:* den 1 juni 2020 15:36
>>>> *Till:* Alessandro Pasotti <apasotti at gmail.com>
>>>> *Kopia:* qgis-user <qgis-user at lists.osgeo.org>
>>>> *Ämne:* Re: [Qgis-user] Save projects to DB without creator's
>>>> permissions
>>>>
>>>>
>>>>
>>>> That's exactly the problem with the auth system. If you connect to a DB
>>>> using the auth system and store a map in the DB (or anywhere for that
>>>> matter), the map contains your credentials/permissions for EVERY layer that
>>>> you added. So if you create a map while logged in as DB owner (i.e. full
>>>> perms for every layer), any user who opens it will have full permissions on
>>>> every layer in the map. The only workaround for this is to remember to use
>>>> basic auth and uncheck "store" beside password whenever creating a shared
>>>> project.
>>>>
>>>>
>>>>
>>>> Any other less vulnerable workarounds would be very helpful, though I
>>>> doubt any exist.
>>>>
>>>>
>>>>
>>>> Cliff
>>>>
>>>>
>>>>
>>>> On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti <apasotti at gmail.com>
>>>> wrote:
>>>>
>>>> Maybe all that you need is in the QHIS auth system is
>>>> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id
>>>>
>>>>
>>>>
>>>> The master password can be stored in the operating system wallet so
>>>> that the user will not need to type his password.
>>>>
>>>>
>>>>
>>>> Regards
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, May 29, 2020, 19:39 Cliff Patterson <cpatterson at psdrcs.com>
>>>> wrote:
>>>>
>>>> PS: I realize I can create maps with basic auth and not store the PW,
>>>> which prompts the user to enter their creds. But is there a better way now
>>>> to achieve the same result?
>>>>
>>>>
>>>>
>>>> Cliff
>>>>
>>>>
>>>>
>>>> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson <cpatterson at psdrcs.com>
>>>> wrote:
>>>>
>>>> What is the best approach to save QGIS projects to PostgreSQL
>>>> without saving the project-creator's credentials/permissions? If the DB
>>>> admin creates a project and saves it to the DB, anyone opening that project
>>>> will attain the admin's permissions on layers in that map.
>>>>
>>>>
>>>>
>>>> To recreate:
>>>>
>>>>
>>>>
>>>> 1) Create a map containing PostGIS layers and save project to DB. All
>>>> layers should be editable by the admin. Admin is logged into DB with auth
>>>> config, not basic auth.
>>>>
>>>> 2) Create a new read-only user and new profile in QGIS and log in to DB.
>>>>
>>>> 3) Open the project and try to edit layers. Read-only user will be able
>>>> to see and edit all layers just like the DB Admin.
>>>>
>>>>
>>>>
>>>> Is there a way to save projects to DB WITHOUT saving any user
>>>> creds/permissions?
>>>>
>>>>
>>>>
>>>> Cliff
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Cliff Patterson Ph.D.
>>>>
>>>> *PSD* | Senior GIS Consultant
>>>> P: 519-690-2565 ext. 2616
>>>> www.psdrcs.com
>>>> London | 148 Fullarton St. 9th Floor
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Cliff Patterson Ph.D.
>>>>
>>>> *PSD* | Senior GIS Consultant
>>>> P: 519-690-2565 ext. 2616
>>>> www.psdrcs.com
>>>> London | 148 Fullarton St. 9th Floor
>>>>
>>>> _______________________________________________
>>>> Qgis-user mailing list
>>>> Qgis-user at lists.osgeo.org
>>>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
>>>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Cliff Patterson Ph.D.
>>>>
>>>> *PSD* | Senior GIS Consultant
>>>> P: 519-690-2565 ext. 2616
>>>> www.psdrcs.com
>>>> London | 148 Fullarton St. 9th Floor
>>>>
>>>>
>>>
>>> --
>>>
>>> Cliff Patterson Ph.D.
>>>
>>> *PSD* | Senior GIS Consultant
>>> P: 519-690-2565 ext. 2616
>>> www.psdrcs.com
>>> London | 148 Fullarton St. 9th Floor
>>>
>>>
>>
>> --
>>
>> Cliff Patterson Ph.D.
>>
>> *PSD* | Senior GIS Consultant
>> P: 519-690-2565 ext. 2616
>> www.psdrcs.com
>> London | 148 Fullarton St. 9th Floor
>>
>>
>
> --
> Alessandro Pasotti
> QCooperative:  www.qcooperative.net
> ItOpen:   www.itopen.it
>

-- 

Cliff Patterson Ph.D.

*PSD* | Senior GIS Consultant
P: 519-690-2565 ext. 2616
www.psdrcs.com
London | 148 Fullarton St. 9th Floor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20200601/756533d2/attachment-0001.html>