[Qgis-user] Save projects to DB without creator's permissions

Cliff Patterson cpatterson at psdrcs.com
Mon Jun 1 08:19:40 PDT 2020


Hi Karl and Alessandro,

This is helpful but DEFINITELY not intuitive. I will test this
configuration and report back.

Cheers,
Cliff

On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson <
Karl-Magnus.Jonsson at kristianstad.se> wrote:

> Hi!
>
> Alessandro, you where quicker! J
>
>
>
> If I understand correct, the actual credentials isn’t stored to the
> project. Just the auth config ID. If the user doesn’t have this in his
> local authentication database, or has it with other credentials(read) the
> project will not open with admin credentials.
>
>
>
> *Karl-Magnus Jönsson*
>
>
>
> *Från:* Qgis-user <qgis-user-bounces at lists.osgeo.org> *För *Cliff
> Patterson
> *Skickat:* den 1 juni 2020 15:36
> *Till:* Alessandro Pasotti <apasotti at gmail.com>
> *Kopia:* qgis-user <qgis-user at lists.osgeo.org>
> *Ämne:* Re: [Qgis-user] Save projects to DB without creator's permissions
>
>
>
> That's exactly the problem with the auth system. If you connect to a DB
> using the auth system and store a map in the DB (or anywhere for that
> matter), the map contains your credentials/permissions for EVERY layer that
> you added. So if you create a map while logged in as DB owner (i.e. full
> perms for every layer), any user who opens it will have full permissions on
> every layer in the map. The only workaround for this is to remember to use
> basic auth and uncheck "store" beside password whenever creating a shared
> project.
>
>
>
> Any other less vulnerable workarounds would be very helpful, though I
> doubt any exist.
>
>
>
> Cliff
>
>
>
> On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti <apasotti at gmail.com>
> wrote:
>
> Maybe all that you need is in the QHIS auth system is
> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id
>
>
>
> The master password can be stored in the operating system wallet so that
> the user will not need to type his password.
>
>
>
> Regards
>
>
>
>
>
> On Fri, May 29, 2020, 19:39 Cliff Patterson <cpatterson at psdrcs.com> wrote:
>
> PS: I realize I can create maps with basic auth and not store the PW,
> which prompts the user to enter their creds. But is there a better way now
> to achieve the same result?
>
>
>
> Cliff
>
>
>
> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson <cpatterson at psdrcs.com>
> wrote:
>
> What is the best approach to save QGIS projects to PostgreSQL
> without saving the project-creator's credentials/permissions? If the DB
> admin creates a project and saves it to the DB, anyone opening that project
> will attain the admin's permissions on layers in that map.
>
>
>
> To recreate:
>
>
>
> 1) Create a map containing PostGIS layers and save project to DB. All
> layers should be editable by the admin. Admin is logged into DB with auth
> config, not basic auth.
>
> 2) Create a new read-only user and new profile in QGIS and log in to DB.
>
> 3) Open the project and try to edit layers. Read-only user will be able to
> see and edit all layers just like the DB Admin.
>
>
>
> Is there a way to save projects to DB WITHOUT saving any user
> creds/permissions?
>
>
>
> Cliff
>
>
>
> --
>
> Cliff Patterson Ph.D.
>
> *PSD* | Senior GIS Consultant
> P: 519-690-2565 ext. 2616
> www.psdrcs.com
> London | 148 Fullarton St. 9th Floor
>
>
>
>
> --
>
> Cliff Patterson Ph.D.
>
> *PSD* | Senior GIS Consultant
> P: 519-690-2565 ext. 2616
> www.psdrcs.com
> London | 148 Fullarton St. 9th Floor
>
> _______________________________________________
> Qgis-user mailing list
> Qgis-user at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
>
>
>
>
> --
>
> Cliff Patterson Ph.D.
>
> *PSD* | Senior GIS Consultant
> P: 519-690-2565 ext. 2616
> www.psdrcs.com
> London | 148 Fullarton St. 9th Floor
>
>

-- 

Cliff Patterson Ph.D.

*PSD* | Senior GIS Consultant
P: 519-690-2565 ext. 2616
www.psdrcs.com
London | 148 Fullarton St. 9th Floor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20200601/3ba9ca1a/attachment.html>


More information about the Qgis-user mailing list