<div dir="ltr">Sorry for the confusion, by read-only I meant that the user only has the ability to connect to the schema containing the layer and view it -- no UPDATE, DELETE, etc. This is all set up in the DB and the "read-only" user already has limited access to the layers. The problem is that if you forget to uncheck "store password" in your connection parameters, or if you use stored auth creds, and save a map to the DB, it saves with your permissions. I agree, it is a security hole that could be fixed by simply giving users the ability to strip the credentials on layers when saving to the DB. <div><br></div><div>Cliff</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 29, 2020 at 2:27 PM chris hermansen <<a href="mailto:clhermansen@gmail.com">clhermansen@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Cliff and list,<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 29, 2020 at 10:29 AM Cliff Patterson <<a href="mailto:cpatterson@psdrcs.com" target="_blank">cpatterson@psdrcs.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">What is the best approach to save QGIS projects to PostgreSQL without saving the project-creator's credentials/permissions? If the DB admin creates a project and saves it to the DB, anyone opening that project will attain the admin's permissions on layers in that map. </div></blockquote><div><br></div><div>Sorry Cliff I don't have a solution, just some ideas presented below. I have to say that this sounds like a huge security hole to me; I would expect that extra work would be required to allow others to read, and especially write, someone else's data. <br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>To recreate:</div><div><br></div><div>1) Create a map containing PostGIS layers and save project to DB. All layers should be editable by the admin. Admin is logged into DB with auth config, not basic auth. </div></div></blockquote><div><br></div><div>What are the access rights to the DB? To the tables within the DB?</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>2) Create a new read-only user and new profile in QGIS and log in to DB.</div></div></blockquote><div><br></div><div>A "read-only user"? What is that? AFAIK the list of user restrictions in PostgreSQL is NOSUPERUSER, NOCREATEDB, NOCREATEROLE, NOINHERIT, NOLOGIN, NOREPLICATION, NOBYPASSRLS. None of those mean "read-only".<br></div><div><br></div><div>"log in to DB" implies that you have granted at least CONNECT on the DB to the new user. That is, admin must have issued at least a GRANT CONNECT ON DATABASE db TO "new user". <br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>3) Open the project and try to edit layers. Read-only user will be able to see and edit all layers just like the DB Admin. </div></div></blockquote><div><br></div><div>Leaving aside what a "read-only user" means, there are also the table privileges. Presumably admin could limit the "new user"'s ability to alter tables in the database by ensuring that all change rights have been revoked, e.g. REVOKE INSERT, UPDATE, DELETE, TRUNCATE ON TABLE foo, bar, paz TO "new user".</div><div><br></div><div>If some of the layers defined in the project are stored in the filesystem rather than as PostGIS/PostgreSQL tables then I presume one would need to change their accessibility as well.</div><br></div><br clear="all"><br>-- <br><div dir="ltr"><div dir="ltr">Chris Hermansen · clhermansen "at" gmail "dot" com<br><br>C'est ma façon de parler.</div></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><p style="margin-bottom:0.0001pt">Cliff Patterson Ph.D.<br><br><b>PSD</b> | Senior GIS Consultant <br>P: 519-690-2565 ext. 2616<br><a href="http://www.psdrcs.com" target="_blank">www.psdrcs.com</a><br>London | 148 Fullarton St. 9th Floor <span style="font-size:small"> </span><br></p><p style="font-size:12.8px;margin-bottom:0.0001pt"><span style="font-size:12.8px"><span style="font-size:9pt;line-height:12.84px;font-family:Verdana,sans-serif;color:rgb(0,112,192)"><img src="http://psdrcs.com/assets/email_signature.png" width="200" height="57"></span></span></p></div></div></div></div>