Hi Andrea, thanks for your reply, evidently I've misinterpreted the documentation and didn't realize a limit rule had to be followed by an allow rule.
My problem is now that I still can't have multiple limit rules, because the merged AccessInfoInternal (as per resolveRuleset()), will have its allowed geometry set to the intersection of all the limit-rule geometries, instead of their union. Is that correct? or an edge case? Cheers, Gabe On Sat, 3 Dec 2022 at 16:42, Andrea Aime <andrea.a...@geosolutionsgroup.com> wrote: > Yep, the documentation about rule matching seems to confirm what I said: > > https://github.com/geoserver/geofence/wiki/Rule-matching#rule-evaluation > > Cheers > Andrea > > On Fri, Dec 2, 2022 at 5:30 PM Andrea Aime < > andrea.a...@geosolutionsgroup.com> wrote: > >> Hi Gabriel, >> if memory serves me well (and I might be wrong) limit rules only apply on >> top of a rule >> allowing access, so you need two rules, one that says "yes you can >> access" and another >> of limit type saying "but with the following limitations" >> >> Cheers >> Andrea >> >> On Fri, Dec 2, 2022 at 1:23 PM Gabriel Roldan <gabriel.rol...@gmail.com> >> wrote: >> >>> Hi, >>> I think this is a GeoFence bug, but would need confirmation. >>> >>> RuleLimits are not being respected, as far as I can see. >>> For example, if I want to create a Rule stating a given user or role >>> can see all layers but within a given area, my understanding is >>> a Rule with Access Type = LIMIT, and an allowed area WKT would do, >>> but that's just not being applied. >>> >>> Digging into it, it looks like RuleReaderServiceImpl's >>> resolveRuleset(List<Rule> >>> ruleList) >>> <https://github.com/geoserver/geofence/blob/cdaee4ac2cc7a3f6dc692a2dec282f6667a4031e/src/services/core/services-impl/src/main/java/org/geoserver/geofence/services/RuleReaderServiceImpl.java#L303-L343> >>> does nothing when a Rule has RuleLimits, boiling down to >>> >>> private AccessInfoInternal resolveRuleset(List<Rule> ruleList) { >>> List<RuleLimits> limits = new ArrayList<>(); >>> AccessInfoInternal ret = null; >>> for (Rule rule : ruleList) { >>> if(ret != null) >>> break; >>> switch(rule.getAccess()) { >>> case LIMIT: >>> RuleLimits rl = rule.getRuleLimits(); >>> if(rl != null) >>> limits.add(rl); >>> break; >>> .... >>> } >>> } >>> return ret; >>> } >>> >>> That is, adds the RuleLimits to the limits list, and then just returns >>> null. >>> >>> Additionally, the following makes it build an AccessInfoInternal only >>> for the first Rule in the ruleList: >>> for (Rule rule : ruleList) { >>> if(ret != null) >>> break; >>> >>> Meaning that if more than one rule matched the filter, only the first >>> one will be considered. >>> >>> My use case is an external system sets up rules for companies based on >>> roles, which come from another system, and >>> can have several rules per company with different allowed areas, for all >>> layers. Ideally, I shouldn't need to merge these >>> areas in order to create a single rule, but have them match the external >>> system's. >>> >>> I've a patch [1] that makes both consider the RuleLimits and all the >>> matching rules >>> in resolveRuleset(List<Rule> ruleList) argument. >>> >>> [1] >>> https://github.com/groldan/geofence/commit/5290c1760746f4e93ff4915c9e80a19a09e433be >>> >>> With it, I can set up two Rules with different allowed areas, both for >>> all layers, and have them applied as expected (or as I understand it's >>> expected). The following image is a layer preview of tiger_roads with both >>> rules applied: >>> >>> [image: image.png] >>> >>> So, is my understanding correct and can I proceed to issue a PR? >>> >>> Cheers, >>> >>> -- >>> Gabriel Roldán >>> _______________________________________________ >>> Geoserver-devel mailing list >>> Geoserver-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>> >> >> >> -- >> >> Regards, >> >> Andrea Aime >> >> == >> GeoServer Professional Services from the experts! >> >> Visit http://bit.ly/gs-services-us for more information. >> == >> >> Ing. Andrea Aime >> @geowolf >> Technical Lead >> >> GeoSolutions Group >> phone: +39 0584 962313 >> >> fax: +39 0584 1660272 >> >> mob: +39 339 8844549 >> >> https://www.geosolutionsgroup.com/ >> >> http://twitter.com/geosolutions_it >> >> ------------------------------------------------------- >> >> Con riferimento alla normativa sul trattamento dei dati personali (Reg. >> UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >> precisa che ogni circostanza inerente alla presente email (il suo >> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >> >> This email is intended only for the person or entity to which it is >> addressed and may contain information that is privileged, confidential or >> otherwise protected from disclosure. We remind that - as provided by >> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >> e-mail or the information herein by anyone other than the intended >> recipient is prohibited. If you have received this email by mistake, please >> notify us immediately by telephone or e-mail >> > > > -- > > Regards, > > Andrea Aime > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > -- Gabriel Roldán
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel